What Hurricane Andrew teaches us about cyber attacks

This is a contributed piece by Ira Scharf, Vice President and General Manager of Worldwide Cyber Insurance at BitSight Technologies.


In August 1992, Hurricane Andrew struck southern Florida and nearby regions, wreaking $25 billion in damage and killing 65 people. The Category Five storm, with winds of up to 165 mph, obliterated more than 25,000 houses in Miami-Dade County alone in what was then the costliest natural disaster in US history.

While Hurricane Andrew is remembered most for demolishing entire communities, it also proved catastrophic for Florida’s property insurance market after many carriers realised they had drastically underestimated the state’s vulnerability to such a natural disaster.

Twenty-seven years had passed since the last major hurricane hit the southeast coast, and the insurance industry had grown complacent in how it assessed hurricane risk. Andrew was a grim wake-up call, causing unprecedented insurance losses of $15.5 billion. Eleven insurers subsequently went insolvent, and many surviving companies wanted to leave Florida.

Andrew is widely considered a watershed event in how insurance companies manage risk, spawning improvements in catastrophe risk modelling for determining exposure and predicting losses.

Some of the same dynamics that threw insurance companies into turmoil in Florida are apparent today in the emerging cyber insurance industry, which protects businesses from internet-related calamities like cyber-attacks and system failures.

Organisations across a range of industries are starting to turn to cyber insurance in today’s high-risk digital world where barely a month seems to go by without headlines about a high-profile hacking such as those at Target, Home Depot and the US Office of Personnel Management.

Gross annual written premiums for cyber insurance are around $2.5 billion today – a blip compared to home and auto insurance – but are expected to rise to $7.5 billion by the end of the decade, according to PWC.

It’s great that insurers have identified an important need to fill in cyber, but they need to do better at addressing an integral point that insurance companies in Florida missed before Hurricane Andrew.

As they transition to the cloud computing era, large and mid-sized companies are depending on a relatively small set of cloud service providers, web hosting platforms and other cloud-based services.

For example, nearly 40% of media and entertainment companies use Amazon Web Services as their content delivery network. My company’s review of one insurance company's portfolio of insureds and its links to different service providers revealed that 77% of insureds from the portfolio used Akamai Technologies and more than 64% used Verisign.

Meanwhile, cyber criminals are recognising that these outside vendors can often be their best point of entry into the confidential data of the companies that hired them. So bad actors may be able to breach multiple organisations through a single attack on a service provider.

As was the case in Florida, cyber insurers are susceptible to a single intrusion impacting a large number of organisations and forcing them to make pay-outs to many of their customers simultaneously.

Risk aggregation is well understood and standardised in other lines of insurance. Every property insurance company now knows, for example, not to concentrate too many policies within the same 10-mile strip of the Florida coastline. The key is to diversify and spread risk.

But in the still-developing cyber insurance field, models for risk aggregation are still nascent. Too many insurers today lack sufficient visibility into the level of concentration of third party cloud providers among their insureds.

It would be a huge and costly mistake for cyber insurers to remain blind to the danger of too much risk concentrated in too few places.

Insurers must do a better job gaining visibility into areas of third-party concentration in their portfolios, where a single breach of a compromised service provider could lead to dozens or hundreds of cyber claims.

They need to gain a holistic view of their portfolio, the connections of insureds, and their aggregate risk. With so many organizations relying on a small number of service providers, software platforms or fourth-party suppliers, single points of failure have become a reality that insurance providers cannot afford to ignore.

What if the Hurricane Andrew of cyber-attacks hit? That’s a question cyber insurers need to ask (perhaps even more timely with the start of hurricane season upon us). And they must make sure they’re not caught off guard like the insurance companies in the Sunshine State in 1992.


« Why extra online learning might be necessary to help graduates succeed


The real meaning of... Information Age - interruptive technology »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?