The internet has gone down. How long can your business withstand the interruption? One day? Two days? One week? What if the outage were widespread? How long would it take for the financial impact to be ruinous?
No insurance policy absorbs the risk of the world wide web grinding to a sudden halt.
Last year, hackers launched an attack that shut down thousands of websites.
In 2016, 81 internet outages in 19 countries cost a combined $2.8 billion in interruption losses.
The answer is not long at all. The internet is as essential to commerce today as are people. Without a connection, employees might as well stay home and watch Netflix. Oops, can’t do that either.
“If the internet tips over for just 24 hours, it would cause a global economic crisis because all transactions would grind to a halt,” says Stephen Catlin, executive deputy chairman of XL Group. “If the internet tips over for seven days, it would be cataclysmic.”
He’s right for an important reason: there is no insurance policy whatsoever that absorbs the risk of the world wide web grinding to a sudden halt. A company might have a policy covering the business interruption caused by a loss of access to its ISP (internet service provider) or cloud providers. But insurance covering the cessation of the internet itself is just too big a risk for the industry to bear.
“It would be like asking us to find insurance just in case there was no electricity in the world,” says Robert Parisi, managing director and cyber product leader at Marsh. “That’s a cool movie, but no carrier will cover you for that.”
The reason is that insurance policies absorbing business interruption losses typically contain an exclusion for the general failure of “utilities,” which in this case would be the internet. “If the internet goes kaput, there would be big problems for affected companies and the global economy, but it wouldn’t have an impact on the insurance marketplace,” Parisi says.
Could It Shut Down?
Although the internet has never experienced a complete breakdown, parts of it have shut down in the past. In October 2016, for instance, hackers launched a successful distributed denial of service attack (DDoS) against Dyn, a managed DNS (domain name system) provider of internet services to Twitter, Reddit, CNN, Spotify and thousands of other websites, shutting them down. DNS providers translate website names into IP (internet protocol) addresses.
“Approximately 500 companies that relied exclusively on Dyn for their web services suffered extensive downtimes and lost sales,” says Stephen Boyer, co-founder and chief technology officer of BitSight, an internet security firm. “This represented about 8% of Dyn’s customer base. Other companies relied on a variety of DNS providers, making the impact less severe.”
A more recent internet outage occurred for customers of Amazon Web Services (AWS), a provider of on-demand cloud computing platforms to companies such as Airbnb, Time and Netflix. The outage affected countless websites and web services on the U.S. East Coast for several hours in February. The culprit was human error, Amazon later reported.
The financial impact of the Dyn and AWS outages has yet to be tallied. But other internet interruptions provide some sense of the financial cost. In July 2017, a severed undersea cable off the coast of Somalia resulted in a three-week-plus internet outage in the country, costing its economy an estimated $10 million a day. When the prior government of Egypt pulled the plug on the internet for five days in 2011 to restrict communications among anti-government activists, its economy suffered losses estimated at $18 million per day.
Altogether, there were 81 separate instances of sporadic internet outages in 19 countries across the world in 2016. The collective cost of these interruptions was $2.8 billion in global GDP, according to a study by the Brookings Institution’s Center for Technology Innovation.
The center has also projected the cost of an outage across the entire United States: “A national internet outage for one week…would reduce economic activity by at least $54.1 billion. And if that outage lasted an entire year, the economic costs would be at least $2.8 trillion.”
It would be like asking us to find insurance just in case there was no electricity in the world. That’s a cool movie, but no carrier will cover you for that.Tweet
These costs would be uninsured—not that companies wouldn’t file claims anyway. “The likelihood is that insurers would deny them, resulting in protracted litigation,” Parisi says. “A lot of subrogation would occur, with one party blaming another party, and so on.”
Could the entire web grind to a halt on a national or global basis? It’s possible. In 2002, an attack occurred against all 13 of the internet’s root name servers—the crucial components that map domain names to IP addresses.
“The attack lasted for an hour,” recalls Jody Westby, CEO of Global Cyber Risk, a provider of cyber-risk advisory services. “The hackers used a botnet to send a flood of messages to each of the servers, which were protected by packet filters. This helped to limit the damage, causing little impact on users.”
The import of the attack is distressing. “The internet was designed with resiliency and not security in mind, meaning if one part went down there would be other parts still left standing,” Westby says. “The fact that all 13 root name servers were attacked was a wake-up call, resulting in replicating the root name servers at a dozen other locations globally. Despite this failsafe, two of the 13 root name servers were attacked in 2007, shutting each of them down for about 24 hours.”
Still, the replication of the root name servers after the 2002 attack enabled the requests to be sent to the “mirror imaged” root name servers and thus minimized the impact of the attack.
The Problem Is Risk Aggregation
The internet’s importance to the smooth functioning of global economies is obvious. Without a connection, businesses would be in a lurch. While insurers and reinsurers consider cyber insurance to be the industry’s most promising market, they are stymied in offering broader coverages.
“It’s just not possible to have a level of confidence in the potential risks,” says Mark Synnott, senior broker and global cyber practice leader at Willis Re. “Right now, it is difficult to test how bad the insured loss could be.”
The problem is risk aggregation. Insurers and reinsurers are unable to gauge with a fair degree of certainty the aggregation of cyber-related business interruption exposures they may be absorbing across multiple lines of coverage, including property, casualty, marine, aviation and transport.
“A well-coordinated attack could result in the simultaneous occurrence of many different types of cyber losses,” says Robert Hartwig, associate professor and co-director of the Risk and Uncertainty Management Center at the University of South Carolina’s Darla Moore School of Business. “Right now, it is difficult to identify, assess and quantify what types of cyber losses might occur in association with other types of cyber losses.”
Minus this ability, the total losses could be unbearable. “It’s not like a natural disaster, where you can offset the risk of an earthquake in Japan with Florida windstorm exposures and Chilean earthquake risks,” Synnott says.
Catlin shares this perspective. “Every other catastrophic risk—terrorism, wind, earthquake and even a pandemic—are all regional or local risks,” he says. “The collapse of the internet is the only event I can think of where the whole globe would be affected in a nanosecond.”
Breaking Down the Risk
It’s just not possible to have a level of confidence in the potential risks. Right now, it is difficult to test how bad the insured loss could be.Tweet
Serious efforts are under way to paint a clearer picture of cyber risks. Traditional property catastrophe modeling firms like RMS and AIR Worldwide and newer cyber-risk rating vendors like BitSight and Cyence are partnering to develop robust cyber-risk models for underwriting purposes.
“We’re trying to break down cyber risk into its constituent parts to identify the key drivers of systemic risk to the insurance industry and then quantify these risks,” says Tom Harvey, senior product manager at RMS. “For instance, we’re looking closely at the various components that make up the backbone of the internet. We’re identifying the different pinch points, whether or not they could realistically suffer a disruption, and what the financial impact would be if it occurred.”
Still, both Harvey and Boyer affirm that modeling cyber risks is a steep uphill climb. “The biggest wrinkle is the adversary, which, unlike the weather, deliberately adapts and changes to get around current defenses,” Boyer says. “There’s always something new that can come up, whereas it’s very unlikely we will have a new kind of windstorm or earthquake. It’s these new vulnerabilities that give pause.”
But he is optimistic that a solution is forthcoming. “We’re just starting to get quantifiable data on the usage of web services through internet telemetry and other means, learning who really is relying on Dyn and AWS and other parties and providers in different regions,” he says. “The next piece is determining the key interdependencies if one or the other is knocked offline.”
The Cyber Insurance Market
As these efforts continue, the industry is confident that cyber-risk insurance will become a major contributor to premium volume in the future. In 2016, U.S. property-casualty insurers wrote $1.3 billion in direct written premiums for cyber insurance, a 35% increase from the prior year, according to A.M. Best.
A study by Allied Market Research tallies total gross premiums globally for cyber insurance at $3 billion today, estimating this figure will skyrocket to $14 billion by 2022. Most of the cyber-risk policies sold over this period will be underwritten differently. Unlike many other types of insurance, there is no standard ISO form for cyber insurance. “No two cyber policies are alike,” says Paul King, national cyber practice head at USI Insurance Services.
Other cyber risk experts agree. “Cyber policies are scattered all over the place,” says Sam Friedman, insurance research leader at Deloitte Center for Financial Services. “Insurers have an innate fear of writing cyber risks, which compels them to put in a failsafe. For instance, the policy might not cover business interruption losses caused when a third party, like a website hosting service, has an outage.”
Hartwig confirms this challenge. “If the company itself is hacked and shut down, this would likely be covered,” he says, “but if it is simply the victim of an attack that occurs to its ISP or cloud provider, chances are it might not be covered.”
While such coverage can be purchased, only a few carriers offer it. Even these coverages require careful reading of the policy language to ensure full protection. “A major issue is if the provider of a company’s network services is interrupted by a factor outside its control—the case with the AWS outage,” King says. “The terms and conditions in the marketplace are not standard across the board on this issue, although the industry is working hard to clarify the language.”
For now, Friedman advises insureds, “Do not assume you have coverage under existing policies. I don’t care if the policy says it covers ‘business interruption.’ The question is will it cover a business interruption if you can’t access your cloud provider or ISP for any reason.”
Brokers Addressing Gaps
Many brokers are confident they can put together an insurance program addressing the various coverage gaps for clients. However, such coverages are likely to have stringent terms and conditions, including tight financial limits, sub-limits, large deductibles and coverage triggers based on the length of the outage. The trigger condition alone can stand in the way of a company’s receiving full coverage.
If the company itself is hacked and shut down, this would likely be covered, but if it is simply the victim of an attack that occurs to its ISP or cloud provider, chances are it might not be covered.Tweet
“Many triggers are set at six hours, meaning six hours have to pass after the outage begins for the insurance to kick in,” King says. “The recent AWS failure was 5 hours and 45 minutes, meaning those affected that had insurance couldn’t collect for the loss caused by the interruption in business. At the same time, the industry was a mere 15 minutes from hitting a major potential payout.”
Carriers also want brokers to schedule a client’s cloud-computing providers in the insurance submission to obtain a clearer sense of the risk. “The carriers want to be sure, if a company’s current ISP or cloud service providers are attacked, there’s a backup plan in place to keep the business going,” says Michelle Lopilato, senior vice president and director of cyber and technology solutions at Hub International. “That’s where we as brokers can help our clients do what’s needed.”
Such help will become increasingly crucial. Catlin says, “We’re facing a risk that is growing exponentially [and] need to give real cover to an industry or a company against a cyber exposure that is specific to them.”
Banham is a financial journalist and author. Russ@RussBanham.com