Business Interruption, Financial Risk and the Internet of Things

Posted by Mark Greisiger

A Q&A with Ashwin Kashyap of Symantec

On the long—and growing—list of cyber security concerns that keep risk managers up at night are business interruption due to denial of service attacks and the profound vulnerabilities in the Internet of Things. I asked Ashwin Kashyap, director of product management for Symantec, about these risks, the company’s latest research and what can be done to adequately prepare for potentially costly security breaches and business interruption.

As an organization, you not only need to know your own security measures and business continuity plans and practices but you also need to know those of your vendors.

How much of a threat does business interruption pose for companies that require high availability to conduct business?  
A very high level of threat. First of all, it’s not just the insured company’s own system that’s at risk but the systems of vendors in the supply chain. A company can be directly impacted by a cyber attack on their online service provider or any number of other vendors or partners. As an organization, you not only need to know your own security measures and business continuity plans and practices but you also need to know those of your vendors. Of course, the magnitude of loss from these incidents can vary, depending on which portion of revenue comes from online services. If you’re Amazon, obviously, it is much more impactful than if you are a company whose sales largely come from bricks and mortar retail outlets. The third factor is business continuity plans. If the company has a good plan they will be more resilient to such interruptions. It’s important for organizations to understand, however, that even if a cyber insurance policy covers business interruption it will most likely not kick in until an initial interruption period of anywhere from 12 to 48 hours. For some companies, that can mean incurring serious financial loss.

What steps might a risk manager take to reduce their risk exposure here?
Having a strong business continuity plan and the right cyber insurance product in place is a good start. For instance, if you wanted your website to be functional without disruption, you will want to have multiple providers in place. Recently we saw a DDOS attack on a DNS provider used by many large organizations. Some of the organizations that were exclusively reliant on a single provider did experience some down time but the organizations that used multiple providers didn’t suffer any down time. You always want to avoid a single point of failure. You also want to make sure you fully understand your insurance policy, as mentioned above.

Please tell us some of the key findings in the Symantec study about the Internet of Things?  
As an example, an important finding was the reality of security vulnerabilities in cars – Fiat Chrysler recalled millions of vehicles after researchers demonstrated that these cars can be controlled remotely through the exploitation of said vulnerability. We also found that smart homes were especially vulnerable because typically these systems have poor passwords that do not protect the system adequately. On the medical side, many devices such as insulin pumps and x-ray scanners were vulnerable. Even commonly used devices such as smart TVs can be easily targeted by botnets and ransomware. This list is not exhaustive but it points to a just a few reasons why we need to be more aware of security with regard to the Internet of Things. More information on this can be found in Symantec’s Internet Security Threat Report.

Why should a cyber risk insurer and/or their insured client care about this emerging cyber exposure?
For an insurer, it’s a question of risk aggregation and solvency. When you’re talking about connected devices like cars or homes, there is the potential for accumulated risks with multiple claims filed in a short time, all related to a single attack. For an insured client, it’s important to realize that these systems we rely on for increased efficiency may have major security vulnerabilities that need to be protected. The weakest point in the overall network determines the security posture of an entity and it is important that this meets a certain bar. This is where high quality security products that prevent and protect against cyber attacks and the utilization of best practices in managing people and processes play a critical role.

What steps can a client take to better understand the scope of this problem?
Risk modeling can be done at a broad or granular level. If the goal is to perform a qualitative assessment of gaps—such as the use of right products or the proper configuration of such products—it can be helpful. A comprehensive risk model can help the company test against extreme scenarios such as what happens if a vendor breaks down for 48 hours. This can help companies understand what could go wrong and help mitigate operational risks. Once the risk landscape is understood, the client can take steps to transfer some of this risk through the purchase of cyber insurance coverage.

Are there any other concerns risk managers should have?

The focus should be on prevention and protection. Invest in security products and configure them properly. Make sure your company is strictly adhering to best security practices. It’s also critical to inform yourself about cyber risk insurance and choose the right level of coverage for your organization. The right decision alone can save the company millions of dollars.

In summary…
We want to thank Ashwin for his expertise and insights into the cyber risk exposures pertaining to system-related business interruption.  Much of the conversation in cyber risk circles often centers on privacy-related data breaches, but Ashwin shines a light on what may well be the main cyber risk concern for manufacturers and retailers. If a perpetrator knocks down supply chain systems in a protracted DDoS attack, it’s a catastrophe for their bottom line and one which possibly impacts downstream (and dependent) clients and partners.

Moreover, the Internet of Things (IoT) is another emerging cyber risk exposure that traverses  business sectors utilizing everyday devices connected to the public-facing internet. While it’s hard to look into the crystal ball and anticipate what the next big loss/claim might look like, it’s clear that, to Ashwin’s point, cyber risk insurers are studying IoT in an effort to understand possible aggregation and systemic risk.