The massive global distributed denial of service attack (DDoS) against internet infrastructure provider Dyn DNS Co. that left over 1,000 major brand name sites including Twitter, Netflix, PayPal and Spotify, inaccessible Friday has implications for insurers too.
While the nature and source of the attack is under investigation, it appears to have been (in the words of Dyn chief strategy officer Kyle York) “a sophisticated, highly distributed attack involving tens of millions of Internet Protocol addresses.”
As Bryan Krebs’ KrebsOnSecurity blog first reported, the attack was launched with the help of hacked Internet of Things (IoT) connected devices such as CCTV video cameras and digital video recorders (DVRs) that were infected with software (in this case the Mirai botnet) that then flooded Dyn servers with junk traffic.
The World Economic Forum (WEF) recently warned that failing to understand and address risks related to technology, primarily the systemic cascading effects of cyber risks or the breakdown of critical information infrastructure could have far-reaching consequences for national economics, economic sectors, and global enterprises.
As the IoT leads to more connections between people and machines, cyber dependency will increase, raising the odds of a cyberattack with potential cascading effects across the cyber ecosystem, the WEF noted.
While IoT connected devices have the potential to transform how businesses and individuals—and their insurers—conduct, manage and monitor their operations, workplaces and their homes, clearly there are embedded risks that insurers need to consider.
Over at Celent’s insurance blog, Donald Light, director of Celent’s North America property/casualty practice, says the Dyn DDoS attack has a number of potentially serious implications for insurers.
“An insurer with a Connected Home or Connected Business IoT initiative that provides discounts for web-connected security systems, moisture detectors, smart locks, etc. may be subsidizing the purchase of devices which could be enlisted in a botnet attack on a variety of targets. This could expose both the policyholders and the insurer providing the discount to a variety of potential losses.”
If the same type of safety and security devices are disabled by malware, homeowners and property insurers may have increased and unanticipated losses, Light suggests.
The Insurance Information Institute white paper on cyber threats and opportunities is available here.