If you said to me a week ago that an army of baby monitors could threaten Amazon, I’d walk away laughing. Yet last Friday, October 21st 2016, we witnessed just such an event.
A distributed denial of service (DDoS) attack against Dynamic Network Service, Inc. (Dyn) created a wide ripple of disruption across the internet. The attack flooded Dyn’s servers with so much traffic – reportedly 1 Terabit per second (akin to downloading the Library of Congress every 2 minutes) – that business customers who rely on Dyn, including Amazon, Netflix, Twitter, Tumblr, Reddit, and Spotify, were disrupted to varying degrees.
Not only were the effects of this attack notable, so too was the source of the attack. Reportedly hundreds of thousands (if not tens of millions) of baby monitors, DVRs, security cameras and similar devices—collectively making up the “Internet of Things” (IoT)—were orchestrated to launch the simultaneous attack. KrebsOnSecurity provides a good overview of the attack itself.
Dyn advised the next day that the attack on their services came in three waves:
- The first one started at about 7am ET and lasted about 2 hours.
- The second wave of attacks began shortly before noon and were mitigated in just over an hour.
- The third later in the afternoon that was mitigated “without customer impact”.
Business customers of Dyn reported similar disruptions as a consequence. Amazon advised that its AWS service was affected during the first attack, for a similar timeframe. Others had differing impacts as the attack spread from East Coast to West Coast and Europe. Customers of these businesses would, in turn, have felt the impact, whether it was the inconvenience of a Netflix streaming video being disrupted to a business disruption arising from inability to access Amazon’s servers.
And, last but not least, XiongMai Technologies, the Chinese manufacturer of the underlying technology common to many if not all of the devices leveraged in this attack, was affected as it was forced to recall millions of their devices for upgrades. The company issued a statement Friday that it would “recall some of its earlier products sold in the United States, strengthen password functions and send users a patch for products made before April last year.”
How might insurance respond to an attack like this?
We cannot comment specifically as to what insurance is in place for any of the affected firms, nor can we say whether such insurance will respond and how. But we can provide hypotheticals that might help illustrate how insurance SHOULD respond to similar events. We’ll focus in particular on cyber insurance and product recall insurance, and use Friday’s firms to illustrate the hypotheticals.
Cyber insurance is designed to cover a variety of losses that can arise from a company’s reliance on information and systems. Coverage typically includes:
- Network interruption for loss caused by insured’s systems being interrupted
- Dependent network interruption for loss caused by a vendor’s systems being interrupted
- Breach response coverage for costs incurred following a cyber incident
- Liability protection for firms that are sued following such cyber incidents
Let’s look briefly at how each of these key coverage parts might respond to an “Internet of Things” attack.
Known also as business interruption, this coverage provides an insured with coverage for lost earnings and extra expense due to an interruption of their own systems. In the case of a firm similar to Dyn who suffers a direct attack, this is the coverage we’d first look at to determine what rights and obligations the insured has. The key challenge, based on Friday’s incidents, would be to clear the waiting period – a minimum amount of time that must elapse before any interruption is covered. The total duration of the combined attacks, based on the Dyn statement, appears to be just over 3 hours – well below the typical waiting period of 8 hours.
Dependent network interruption
Similar to network interruption, this coverage provides insureds with protection when they suffer losses arising from a third-party system interruption. Using Friday’s events to illustrate, the insured here would be one of Dyn’s customers, such as Amazon or Netflix, who themselves suffered a loss of earnings and/or incurred extra expense due to Dyn’s systems being interrupted by the attack. The waiting period would be similar here, and other limitations may apply such as co-insurance or sublimits.
For the insured who is directly attacked, breach response may provide some coverage for costs incurred. This coverage is generally thought of in the context of a privacy breach, and is generally tailored to related expenses such as determination of privacy obligations state by state, notification of affected consumers, and the offering of a year of credit monitoring. While the attacks Friday were not privacy related, they nonetheless could trigger some additional aspects of breach response coverage including the costs of cyber forensics to “put out the fire,” and the public relations costs intended to mitigate potential damage to the insured’s brand and reputation.
Last but not least is liability coverage. Any cyber policy will include liability coverage for claims alleging insured’s negligence in protecting systems and information. These claims can be from any affected party who can allege some level of damage, and can range from a single affected party (Amazon might sue Dyn, for instance) to a broad class action (Netflix customers might form a class and sue both Netflix and Dyn for the disruption of their content streaming). A second type of liability could arise if Dyn’s commercial customers allege they were negligent in rendering agreed to professional services, violating contractually agreed to and paid for service levels.
Product recall insurance can also be relevant for a firm like XiongMai, the equipment manufacturer implicated in these attacks. Coverage for such firms is available and would prove relevant in the face of the recall of potentially millions of devices, the upgrades necessary to the firmware on the devices, and redistribution of the devices back to customers.
Takeaways for our clients
The emergence of the Internet of Things leads to new variants of old threats. The notion that baby monitors could be unwitting participants in a massive DDoS attack such as this is both alarming and yet not really that surprising, once it sinks in. Awareness that this is possible is important. As we understand how the Internet of Things actually works – that baby monitors, or DVRs, or any other intelligent devices are basically miniature “PCs” with less control and visibility to their owners – it’s not difficult to see how these devices could be hacked and misused. This recognition is a first step toward better preparing for this emerging threat.
Risk detection and mitigation steps by sophisticated tech companies limited the duration of loss suffered by these firms. Amazon, for instance, was able to re-direct to other service providers and minimize their reliance on Dyn during the attack, minimizing the effective duration to them (and to their customers in turn). Your preparation for such events will benefit from inclusion of DDoS by baby monitors as just one example – which would’ve sounded crazy a week ago. Clients should be asking themselves whether they are fully prepared for a similar threat. Are the necessary risk detection and mitigation safeguards in place?
Cyber insurance can provide a valuable and flexible tool for covering many types of cyber losses, and Friday’s events are no exception as we’ve outlined. Adding product recall to the mix for manufacturers subject to massive recalls can also be highly relevant. Ensuring this coverage is in place well in advance of a loss, that it has the broadest possible terms and conditions, it keeps up with rapid developments in these evolving areas of coverage, and is acted upon at the time of loss through proactive claims advocacy, are critical ingredients to successful risk transfer.
Guest blogger Jim Devoe is Senior Vice President of Willis Towers Watson’s FINEX North America Cyber and Tech E&O Broking Team, based in Boston. Jim has worked in the insurance industry for over 30 years, in roles ranging from Actuarial Programmer at TPF&C to Technology Strategist at The Hartford. Jim’s specialty over the past 10 years has focused in particular on a wide range of cyber and tech E&O coverage issues.