Silently preparing for the $100 billion cyber-catastrophe risk

Chief executives and board-level decision makers within S&P 500 and FTSE-100 component companies are seriously evaluating the possibility of taking out insurance against a $100 billion global cyber catastrophe risk event for their worldwide operations that could cause massive business interruption for days and lead to insurmountable property and liability, breach of contract and workers' compensation claims alongside the potential for serious intellectual property theft and online financial fraud.

Specialist law firms and General Counsels' offices have been busy over the last two weeks reviewing the terms of reference of existing insurance policies in regard to large scale cyber risk and catastrophe cover. Both captive insurance companies and general insurance companies have been approached for clarification on cataclysmic digital events and associated fallout leading to large scale loss of revenues or claims.

Reinsurance companies, in turn, have been approached by insurance underwriters and brokers in the last ten days, especially because every form of digital risk and terrorism has been studiously excluded from all types of general property and casualty insurance and associated reinsurance policies post 9/11 often with the use of "side letters."

Up until August 2003, it was generally believed that cyber catastrophe was a non-starter and therefore not worth insuring against. Then the global MSBlast and SoBig malware epidemics struck alongside the largest power outage in history across North East America - affecting New York, Cleveland, Ohio, Detroit, Michigan, Toronto and Ottawa - followed by further outages in London (UK), parts of Sweden, Denmark, Switzerland and most of Italy. As a result, strategic corporate interest in large scale digital catastrophe, associated damage to critical economic infrastructure and multi-day power outages has been rising in the last six months.
From the Chief Executives' perspective, the events of the last two weeks have not been promising as they have included the worst malware epidemic - the MyDoom proliferation - as well as successive announcements from Microsoft in regard to critical flaw patches followed by the leak of 13.5 million lines of source code for Windows 2000 and NT4 just before the weekend. There is bound to be at least one exploitable feature, bug, +/-1 correction, or buffer-overflow vulnerability per 10,000 lines of source code leading to at least over a 1,000 potential hacker activated code or malware entry points. This is concerning board level IT-minded executives in particular.

Windows 2000 and NT4 are still widely used within a range of customised mission critical applications across most industries that have yet to migrate to newer versions of Windows' servers and clients. Typically, there is a prohibitive financial cost associated with the migration of that magnitude.

It is the unenvisaged and as yet unidentified $100bn global cyber-catastrophe threats in particular, that concern chief executives, CFOs and CIOs of S&P 500 and FTSE-100 component companies. If a large scale risk is not yet known or quantifiable then these decision makers ought to be able to transfer the financial component of that risk through insurance or some other form of alternative risk transfer such as a catastrophe bond put together by a consortium. There is an obligation to share holders that all identified large risks ought to be reported to the board and economically viable transfer-of-risk mechanisms ought to be leveraged.

Although low level cyber-liability insurance exists in embryo form, very little has been modelled or productised by insurance and reinsurance underwriters at the $100bn global cyber-catastrophe scale. The premium for such cover is also likely to run into millions of dollars per quarter per corporation insuring against $2bn to $5bn of exposure, and have excess limits of $100 million or more because the probability of incidence of cyber catastrophe is rising with every passing month since August 2003, although still below 1%.

The leaked Microsoft Windows 2000 and NT4 source code contains the vital Winsock Application Programming Interface (API), Internet Explorer 5 (IE 5), Simple Network Management Protocol (SNMP), Public Key Infrastructure (PKI), networking and some Software Development Kit (SDK) code as well as the way in which Internet Explorer liaises with the rest of the operating system. These components are critical to maintaining safety, security and stability across a global digital network.

There is concern that multi-nationals could face bankruptcy if their digital points of vulnerability were targeted repeatedly at some stage by hackers or malware authors, who could gain unfair competitive advantage to attack Microsoft computers by studying the source code leak and then carry out a large scale intellectual property theft or financial fraud in parallel with a denial of service attack.

Along with the demand for $100bn collective cyber-catastrophe risk cover, comes the need for capital to cover for the eventuality. Increasing specialist capacity in global insurance markets is incredibly important. Whether there is a natural disaster-prone state like Florida or California, or a state like New York - with terrorist-targeted properties by way of track record - it remains to be seen how much in the way of accumulated losses the private insurance and reinsurance market can absorb before the entire market is put at risk.
Large insurers and reinsurers have been downgraded by rating agencies as markets continue to harden, so the appetite for new risks without scientific modelling and track record can be low.
Given that specialist insurance capacity or appetite may not yet exist for $100bn type of cyber-cataclysmic events, catastrophe bonds are actively being considered by large corporations as a way forward. A catastrophe bond is a high-yield debt instrument that is usually insurance linked and meant to raise money in case of a traditional catastrophe such as a hurricane or earthquake. It has a special condition that states that if the issuer - insurance, reinsurance or captive company - suffers a loss from a particular predefined catastrophe, then the issuer's obligation to pay interest and/or repay the principal is either deferred or completely forgiven.

There are signs with every new outbreak that the next generation of malware - the Distributed Intelligent Malware Agent (DIMA) - could begin colonising global computer networks much faster. [mi2g original research into DIMA, 13th January 2003]. Even though large organisations may shore up their defences, they can no longer be certain that their employees' and customers' home computers are entirely up-to-date or
there is no malware or hacker attack in the pipeline based on the as yet officially unidentified vulnerabilities. The MyDoom family of malware has led to the creation of a ready-army of a million plus zombie computers, which are still ready and waiting to direct a Distributed Denial of Service attack against any online computer network.

MyDoom, which already has 70% of the characteristics of a DIMA, has continued to cause some global disruption and irritation as the volume of debris email and infected computers reached an all time cumulative high across 215+ countries but it has now begun to wane post 12th February. For all its disruptive traits, MyDoom is still manageable.
However, future DIMA iterations may prove to be far more destructive as they get closer to becoming 100% capable and exhibit traits of intelligence and evolution in real time, just as counter-measures to fend them off are introduced. Future DIMA may also have unique channels of communication with their originators that may be used to commandeer their zombies towards new and highly vulnerable targets such as the capability displayed by Deadhat recently, which colonises MyDoom infected machines and then owns them through a cryptographic key enabled upload facility.

Behind closed doors, senior