I had been putting off writing a blog post for a few weeks now, and in that time frame so many interesting things have happened that my topic has changed several times.
First, my colleague Priya Huskins suggested I write about cyber extortion, and the FBI’s recent recommendation that companies do NOT pay the ransom. This was seen as a bit of a revelation, because in 2015, an FBI agent in Boston was widely quoted saying, “To be honest, we often advise people just to pay the ransom.” Last week, I spoke with an agent from the FBI’s Cyber Branch who clarified that the 2015 quote was not official FBI policy, and that it had always been the FBI’s position to discourage ransom payments.
The recent FBI statement does acknowledge that executives will have to evaluate all options to protect their business, which might ultimately involve paying a ransom. Doing so, however, is no guarantee that the victim will regain access to their system; not surprisingly, criminals do not always honor their promises. In all cases, however, companies should be very careful not to pay a ransom without doing some forensic research on the location of the threat. Paying a ransom to a prohibited country or to terrorist organizations could create legal liability.
Before I got too far on the FBI topic, however, I was distracted by the Yahoo breach, the largest loss of Personally Identifiable Information (PII) in the history of the internet, exposing some 500M login credentials, telephone numbers, birth dates and even unencrypted security questions. That last part is a new twist, as many websites use the same security questions as a second authentication factor. So even if you hadn’t reused that Yahoo password anywhere, you still need to be concerned that this breach could lead to fraud on other accounts.
The hack apparently took two years to uncover, and may have been perpetrated by a state-sponsored actor. Of course, that’s what everyone seems to claim these days, as if it is somehow more excusable for a sophisticated technology company to have been outsmarted by mysterious government forces.
One of the other interesting angles on this story is how the breach might impact Yahoo’s proposed merger with Verizon. Five days after the breach, an article posted on Fortune had the best quote on the matter. “For a company whose tagline used to be ‘Can you hear me now,’ Verizon has been awfully quiet about its commitment to buying Yahoo”.
As recently as October 26, a Verizon exec was quoted as saying the planned acquisition “absolutely still makes sense”, but noted that they were waiting for the results of a breach investigation before making any decisions. If the breach results in a lowered purchase price for Yahoo, cue the shareholder litigation.
But then on October 21, just as I was getting into the Yahoo story, the internet broke.
Early that Friday morning I was boarding a flight to LA for a client meeting. Waiting for the plane to take off, I was annoyed that I couldn’t get my Twitter feed to reload so I could quickly scan some news. By the time the flight landed an hour later, the news was widespread. Major sites such as Facebook, Spotify, Twitter and AirBnB were experiencing outages or significant delays.
The source of the problem was a little-known company called Dyn, which plays a significant role in delivering the internet to our computers, tablets, and phones. Dyn is a DNS server, one of roughly ten major companies that translates the names of internet pages into IP addresses. When you type “anywebsite.com” into your browser, it contacts Dyn to look up the IP address of that website. Imagine how much less user-friendly the internet would be if we had to keep track of IP addresses instead of logical names and phrases to describe websites.
That Friday morning, Dyn came under a Distributed Denial-of-Service (DDoS) attack which overwhelmed its servers, causing web traffic on the internet to slow to a crawl for its customers, including The New York Times, PayPal, and Pinterest. The attack lasted several hours and shifted as the day went by, starting with Dyn’s East Coast servers and later extending across the country.
A DDoS attack is an old tool, one where hackers harness thousands or millions of computers to repeatedly ping a site, overwhelming its servers. Typically the hackers have planted a virus on those computers in advance, and at the appointed time, the virus wakes up and directs the computer to follow its instructions. In the case of the Dyn attack, the hackers had indeed planted such a virus, but not on traditional computers or tablets. Instead, they targeted consumer products with internet connectivity, including baby monitors and “smart home” systems, commonly referred to as the Internet of Things (IoT).
Computer security experts have been warning about the vulnerability of IoT devices for years. Unlike traditional computers, internet-connected refrigerators and coffee makers are not always set up to be updated on a regular basis. The interface is usually limited, and consumers may not be aware how to update it. If the device is being used in a DDoS attack, the owner likely won’t know; the device will still work fine. A Washington Post article this week argues that the government needs to get involved by regulating IoT devices. While the security risk is significant, the consequences for manufacturers and consumers are nonexistent, so there are no incentives to build security into the device design.
On to the insurance implications of the Dyn attack… the client I was meeting with that Friday asked the obvious question – would a cyber policy cover an event like this? Like all good insurance questions, the answer is that it depends on where you sit. If you are the company that is the target of a DDoS attack, in this case Dyn, then the resulting loss of income and extra expenses would be covered under a cyber policy’s Network Business Interruption coverage part. Most policies would have a time deductible of 8-12 hours, meaning it would only pay loss after your business had been interrupted for more than 8-12 hours due to the cyber security failure.
The answer gets more complicated as you move downstream. Most cyber policies do NOT cover contingent Network Business Interruption. The Dyn scenario is the exact problem they are worried about – where an attack at a single company could cause a loss on hundreds or thousands of policies. Some insurers will consider Contingent NBI coverage, but usually on a scheduled basis for specific outside vendors, and often with a lower limit of liability (a sublimit). This way they can track their aggregation of risk for a particular vendor and stop offering coverage when the cumulative exposure gets too high.
From a risk management perspective, it is critical to understand your contingent business risks for cyber. What organizations are you relying on? How would your business be impacted if they go down for an extended period of time? What recourse (if any) do you have against the vendor? And if you purchase cyber insurance, make sure you understand if and how it extends to contingent business interruption loss.