Solving Cyber Risk E-Book

Table of Contents

Cover

About the Authors

ANDREW COBURN

ÉIREANN LEVERETT

GORDON WOO

Acknowledgments

CHAPTER 1: Counting the Costs of Cyber Attacks

1.1 ANATOMY OF A DATA EXFILTRATION ATTACK

1.2 A MODERN SCOURGE

1.3 CYBER CATASTROPHES

1.4 SOCIETAL CYBER THREATS

1.5 CYBER RISK

1.6 HOW MUCH DOES CYBER RISK COST OUR SOCIETY?

ENDNOTES

CHAPTER 2: Preparing for Cyber Attacks

2.1 CYBER LOSS PROCESSES

2.2 DATA EXFILTRATION

2.3 CONTAGIOUS MALWARE INFECTION

2.4 DENIAL OF SERVICE ATTACKS

2.5 FINANCIAL THEFT

2.6 FAILURES OF COUNTERPARTIES OR SUPPLIERS

ENDNOTES

CHAPTER 3: Cyber Enters the Physical World

3.1 A BRIEF HISTORY OF CYBER-PHYSICAL INTERACTIONS

3.2 HACKING ATTACKS ON CYBER-PHYSICAL SYSTEMS

3.3 COMPONENTS OF CYBER-PHYSICAL SYSTEMS

3.4 HOW TO SUBVERT CYBER-PHYSICAL SYSTEMS

3.5 HOW TO CAUSE DAMAGE REMOTELY

3.6 USING COMPROMISES TO TAKE CONTROL

3.7 OPERATING COMPROMISED SYSTEMS

3.8 EXPECT THE UNEXPECTED

3.9 SMART DEVICES AND THE INTERNET OF THINGS

ENDNOTES

CHAPTER 4: Ghosts in the Code

4.1 ALL SOFTWARE HAS ERRORS

4.2 VULNERABILITIES, EXPLOITS, AND ZERO DAYS

4.3 COUNTING VULNERABILITIES

4.4 VULNERABILITY MANAGEMENT

4.5 INTERNATIONAL CYBER RESPONSE AND DEFENSE

ENDNOTES

CHAPTER 5: Know Your Enemy

5.1 HACKERS

5.2 TAXONOMY OF THREAT ACTORS

5.3 THE INSIDER THREAT

5.4 THREAT ACTORS AND CYBER RISK

5.5 HACKONOMICS

ENDNOTES

CHAPTER 6: Measuring the Cyber Threat

6.1 MEASUREMENT AND MANAGEMENT

6.2 CYBER THREAT METRICS

6.3 MEASURING THE THREAT FOR AN ORGANIZATION

6.4 THE LIKELIHOOD OF MAJOR CYBER ATTACKS

ENDNOTES

CHAPTER 7: Rules, Regulations, and Law Enforcement

7.1 CYBER LAWS

7.2 US CYBER LAWS

7.3 EU GENERAL DATA PROTECTION REGULATION (GDPR)

7.4 REGULATION OF CYBER INSURANCE

7.5 A CHANGING LEGAL LANDSCAPE

7.6 COMPLIANCE AND LAW ENFORCEMENT

7.7 LAW ENFORCEMENT AND CYBER CRIME

ENDNOTES

CHAPTER 8: The Cyber-Resilient Organization

8.1 CHANGING APPROACHES TO RISK MANAGEMENT

8.2 INCIDENT RESPONSE AND CRISIS MANAGEMENT

8.3 RESILIENCE ENGINEERING

8.4 ATTRIBUTES OF A CYBER-RESILIENT ORGANIZATION

8.5 INCIDENT RESPONSE PLANNING

8.6 RESILIENT SECURITY SOLUTIONS

8.7 FINANCIAL RESILIENCE

ENDNOTES

CHAPTER 9: Cyber Insurance

9.1 BUYING CYBER INSURANCE

9.2 THE CYBER INSURANCE MARKET

9.3 CYBER CATASTROPHE RISK

9.4 MANAGING PORTFOLIOS OF CYBER INSURANCE

9.5 CYBER INSURANCE UNDERWRITING

9.6 CYBER INSURANCE AND RISK MANAGEMENT

ENDNOTES

CHAPTER 10: Security Economics and Strategies

10.1 COST-EFFECTIVENESS OF SECURITY ENHANCEMENTS

10.2 CYBER SECURITY BUDGETS

10.3 SECURITY STRATEGIES FOR SOCIETY

10.4 STRATEGIES OF CYBER ATTACK

10.5 STRATEGIES OF NATIONAL CYBER DEFENSE

ENDNOTES

CHAPTER 11: Ten Cyber Problems

11.1 SETTING PROBLEMS

ENDNOTES

CHAPTER 12: Cyber Future

12.1 CYBERGEDDON

12.2 CYBERTOPIA

12.3 FUTURE TECHNOLOGY TRENDS

12.4 GETTING THE CYBER RISK FUTURE WE WANT

ENDNOTES

References

Index

End User License Agreement

List of Tables

Chapter 2

TABLE 2.1 Data potentially at risk of exfiltration, with suggested data classification policy.

TABLE 2.2 Data breach loss severity scale for number of personal records (PII, PCI, PHI) in data exfiltration, with statistics for United States, 2012 to mid-2018.

TABLE 2.3 Examples of contagious malware outbreaks ranked by global impact, past 30 years.

TABLE 2.4 Examples of different types of payloads of contagious malware, ranked by the severity of the consequences it can potentially inflict on the host system.

TABLE 2.5 Examples of ransom payments reported to have been paid by large organizations hit by cyber extortion attacks.

TABLE 2.6 Intensity of distributed denial of service attacks that will disable servers of given volumes, if unprotected.

TABLE 2.7 Increasing magnitude of DDoS activity year on year.

Chapter 5

TABLE 5.1 Prices of commodities available on dark web black market sites.

TABLE 5.2 Skill level gradings for cyber hackers.

Chapter 6

TABLE 6.1 Selected examples of scenarios that would cause MediaMark to have a loss of more than $50 million, with the odds of that scenario occurring in a given year.

Chapter 9

TABLE 9.1 Coverages available in cyber insurance products, and how common they are in products being offered across the market.

TABLE 9.2 Examples of published scenarios of probable maximum loss: hypothetical stress test scenarios used by insurance companies to assess potential cyber catastrophes that would cause large numbers of their policy holders to make insurance claims.

TABLE 9.3 Company-specific cyber risk rating variables collected on cyber insurance underwriting questionnaires. Compilation from 32 questionnaires collected 2017.

Chapter 10

TABLE 10.1 Bug vulnerability classification.

List of Illustrations

Chapter 1

FIGURE 1.1 Trading interconnectivity of major companies in the global economy. Cyber losses can cascade through the economy to create a multiplier effect for economic costs. Oracle, a market-leading provider of databases, is highlighted to illustrate an example of the key role played by providers of information technology in the global economy.

FIGURE 1.2 Global cyber risk: likelihood of loss occurring from cyber attacks.

FIGURE 1.3 Cyber catastrophes, their potential impacts, and their estimated likelihoods.

Chapter 2

FIGURE 2.1 Costs of US data breaches by size of breach (2012–2017).

FIGURE 2.2

WannaCry

infections across the world and business impacts, May 2017.

FIGURE 2.3 Examples of losses caused to businesses by

NotPetya

malware, June 2017.

FIGURE 2.4 Classes of cloud services – equivalent or similar services being provided by the Big Four cloud service providers.

FIGURE 2.5 Geographical architecture of the Big Four cloud service providers, with major regional centers identified, serving local markets.

FIGURE 2.6 Regions and services provided by each of the Big Four cloud service providers, identifying the potential for cascading outages across both dimensions. The AWS S3 outage of February 28, 2017 is plotted for reference.

FIGURE 2.7 Duration of cloud service outages reported in a single year (2017 statistics for 100,000 events) extrapolated for likelihood of longer outage events per year.

Chapter 5

FIGURE 5.1 State-sponsored cyber teams: a selection.

Chapter 7

FIGURE 7.1 World map of data privacy regulation.

Chapter 9

FIGURE 9.1 Leading cyber insurance companies by market share (admitted market US 2017).

Guide

Cover

Table of Contents

Begin Reading

Pages

C1

ii

iii

iv

ix

x

xi

xii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

137

136

138

139

140

141

143

142

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

223

222

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

355

356

357

358

359

360

361

362

363

364

365

366

367

E1

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Australia, and Asia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers' professional and personal knowledge and understanding.

The Wiley Finance series contains books written specifically for finance and investment professionals as well as sophisticated individual investors and their financial advisors. Book topics range from portfolio management to e-commerce, risk management, financial engineering, valuation and financial instrument analysis, as well as much more.

For a list of available titles, visit our website at www.wileyfinance.com.

Solving Cyber Risk

Protecting your company and society

Copyright © 2019 Andrew Coburn, Éireann Leverett, and Gordon Woo.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Names: Coburn, Andrew (Andrew W.), author. | Leverett, Eireann, author. | Woo, G., author.

Title: Solving cyber risk: protecting your company and society / Andrew Coburn, Eireann Leverett, Gordon Woo.

Description: Hoboken, New Jersey: John Wiley & Sons, Inc., [2019] | Series: Wiley finance series | Includes bibliographical references and index. | Identifiers: LCCN 2018035611 (print) | LCCN 2018037247 (ebook) | ISBN 9781119490913 (Adobe PDF) | ISBN 9781119490920 (ePub) | ISBN 9781119490937 (hardcover) | ISBN 9781119490913 (ePDF)

Subjects: LCSH: Computer security. | Data protection.

Classification: LCC QA76.9.A25 (ebook) | LCC QA76.9.A25 C577 2019 (print) | DDC 005.8—dc23

LC record available at https://lccn.loc.gov/2018035611

Cover Design: WileyCover Image: © iStock.com/scyther5

About the Authors

The three authors worked together on the development of the leading cyber risk analysis model being used by the insurance industry today, and in the development of scenarios for regulating cyber risk. They are each specialists in different fields of risk and cyber technology.

ANDREW COBURN

Andrew is a specialist in risk, and is the architect of the Cyber Solutions risk model marketed by Risk Management Solutions, Inc. (RMS), the leading cyber risk model being used in the insurance industry today. He is a senior vice president of RMS and one of the main contributors to the creation of commercial catastrophe risk models over the past 25 years. His previous books include Earthquake Protection (John Wiley & Sons). He is also a Director of the Cambridge Centre for Risk Studies (CCRS), based in the business school of the University of Cambridge, where he has coordinated the cyber risk research program and been the lead author on a number of CCRS cyber risk publications, which have been highly cited. Cyber risk scenarios developed at the CCRS have been adopted as stress tests by industry regulators. He is a frequent speaker at conferences on risk and financial services.

ÉIREANN LEVERETT

Éireann is an ethical hacker with many years of experience in cyber security and the impacts of computer security failures and accidents. He is the founder of Concinnity Risks Ltd and a Senior Researcher on Cyber Risk at the Cambridge Centre for Risk Studies (CCRS) at the University of Cambridge. He has experience of compromising the security of organizations, and assisting them to improve their security postures through a variety of short- and long-term methods. While his background is in artificial intelligence (AI) and computer security, he has increasingly taken an interest in a risk-centric view of computer security, and how markets can help or hinder progress in defending the internet. He is a member of the Forum of Incident Response and Security Teams (FIRST; https://www.first.org), and regularly speaks at incident response and hacker conferences.

GORDON WOO

Gordon is a catastrophist with Risk Management Solutions, Inc. (RMS), focusing mainly on complex man-made insurance risks such as terrorism and cyber risk. Profiled in Newsweek magazine, he was described as one of the world's leading catastrophists. He has 30 years of experience in catastrophe risk consultancy, advising financial institutions, governments, and major corporations. He was educated at Cambridge University, with degrees in mathematics, theoretical physics, and computer science. He is a visiting professor at University College London, and an adjunct professor at Nanyang Technological University, Singapore. He is the author of the books The Mathematics of Natural Catastrophes and Calculating Catastrophe, published by Imperial College Press.

Acknowledgments

The authors are fortunate to be supported by some great teams who have helped them carry out much of the work presented in this book. We have tried to acknowledge individual contributions wherever possible, but we would like to acknowledge specifically the inputs of:

Cambridge Centre for Risk Studies

We have had the support of some of the best and brightest at the Cambridge Centre for Risk Studies, a world-leading research center at Judge Business School, University of Cambridge. We are particularly grateful to the Executive Directors: Simon Ruffle, Professor Danny Ralph, and Dr Michelle Tuveson, and to the cyber risk research team: Dr Jennifer Daffron at stroke, Jennifer Copic, Tamara Evan, Kayla Strong, Andrew Smith (Drew to his risk colleagues), Kelly Quantrill, James Bourdeau, Tim Douglas, and Dr Andy Skelton. We are particularly indebted to Olivia Majumdar for her help in getting this book under way.

We are also indebted to the companies that have sponsored the research into cyber risk at the Cambridge Centre for Risk Studies, including Lockheed Martin, Lloyd's of London (with particular thanks to Trevor Maynard for his support and encouragement), AXA XL, Pool Re, Citigroup, American International Group (AIG), Risk Management Solutions, Inc. (RMS), and all the other supporters that have included cyber risk within the range of multi-threat risk research.

Risk Management Solutions, Inc.

We very much appreciate the support of our colleagues at RMS in the cyber model development team, particularly the business leadership of Dr Mohsen Rahnama, Peter Ulrich, Adam Sandler, Tom Harvey, and Kathleen Maloney, and the model development team, ably led by Dr Christos Mitas, Dr Hichem Boudali, Chris Vos, John Agorgianitis, Dr Malik Awan, and Simon Arnold. We appreciate the RMS team allowing us to use data from the RMS Cyber Loss Experience Database in various chapters of the book. We are of course particularly grateful to Dr Robert Muir Wood, who has created a culture of curiosity and innovation at the company, from which we all benefit. We are grateful to Hemant Shah, founder of RMS, for his support of research, tolerance of enquiry, and vision for new risk management frameworks, and to Karen White, CEO, for her emphasis on cyber risk analytics in the future of the organization.

We are also grateful to all the RMS clients who have worked with us over the past few years, helping us understand the nature of cyber risk from their experience, perspectives, and claims data.

Cambridge Computer Laboratory, University of Cambridge

We also gratefully acknowledge the inputs and assistance of our colleagues at the Cambridge Computer Laboratory and Cambridge Cybercrime Centre, including Director Dr Richard Clayton, Graham Rymer, Professor Frank Stajano, Professor Ross Anderson, Rob Watson, Dr Alice Hutchings, Professor Jon Crowcroft, and Professor Ian Leslie.

There are a number of hackers and members of the incident response community who contributed to these ideas either directly or indirectly, and either as individuals or as companies doing good work. In no particular order, we thank Sid Rao, Reid Wightman, Matt Erasmus, Erin Burns, Louise Stanhope, Baiba Kaskina, Silje Endsjo, Thomas Dullien, Marion Marschalek, Marie Moe, Alexandre Dulaunoy, Raphael Vinot, Thais Moreira Hamasaki, Aristotle Tzafalias, Arrigo Triulzi, Bruce Stenning, Aaron Kaplan, Thomas Schreck, and Jens Wiesner, with special thanks to Colin Cassidy for going on the full journey.

Finally, but by no means least, we would like to acknowledge the support (and tolerance) of our partners and families in the writing and production of the book. Many thanks, Helen (enjoyed the drinks on the riverbank boring you about hackonomics); Fatma and Mehmet (penguins); and Victoria.

CHAPTER 1Counting the Costs of Cyber Attacks

1.1 ANATOMY OF A DATA EXFILTRATION ATTACK

1.1.1 The Plan

The year 2012 had been good for a small group of cyber hackers. They called themselves ‘Rescator’, after the noble and mysterious pirate character in the Angelique series of French historical romantic films popular on television in Eastern Europe and Russia. The Rescator team specialized in scamming the credentials from credit cards and selling the details for around a 10th of a bitcoin each (approximately $1 in 2012) on sites in the dark web and other black market outlets, such as the Russian ‘octavian’ marketplace.1 As they counted their takings in early December 2012, they watched a YouTube meme about the preholiday shopping frenzy taking place in the United States, set to the tune of ‘Good King Wenceslas’ played on cash registers, a parody of consumerism. Ker-ching! Inspired, their planning began in earnest, reinvesting their profits to go for the jackpot: a major theft of US credit card information during next year's holiday spending spree. They could not have known just how successful they would be, and that they were about to commit the biggest theft of credit card data in human history.

1.1.2 The Malware

Rescator began by buying a malware kit from one of the underground forums to create a RAM scraper, similar to other point-of-sale (PoS) hacking malware known as BlackPOS, but significantly more sophisticated.2 The Rescator software later became known as Kaptoxa, Russian slang for potato. In the point-of-sale terminals that were standard in US shops in 2013, when a shopper swiped a credit card through the card reader, the information was read from the card's magnetic stripe, and under Payment Card Industry-Data Security Standard (PCI-DSS) rules, the data was encrypted immediately. This protected it at rest while stored on the local device's hard drive, and in transit when it was transmitted to the back-end servers for processing. The 2013 point-of-sale systems had a vulnerability: the card details were read into the computer's temporary memory (RAM) and encrypted while in memory. The malware RAM scraper could detect and copy the credit card details at the microsecond just before the data was encrypted, and send it to a server that Rescator would configure to receive the stolen data.

1.1.3 Finding a Way In

Armed with their Kaptoxa Trojan horse, the Rescator team mapped out a plan to insert it into point-of-sale systems in companies in the United States. They drew up a hit list of the largest retailers that process large volumes of credit card transactions. However, as they went through the list, they found a snag: these big retail companies were all investing heavily in new security systems. During 2012 and throughout 2013, most of the big-name US retailers announced or implemented new installations of malware and data exfiltration detection services – various vendor security systems to prevent unauthorized access to IT systems, to sweep networks for malware, and to monitor traffic on the network to detect suspicious packets that could be data being stolen.

1.1.4 Using Suppliers with Authorized Access

Rescator started to work on finding ways to get around these defenses. Instead of directly targeting the retail companies themselves, they started researching their suppliers and counterparties, particularly anyone who might be granted access into the retailers' information technology (IT) systems.

In September 2013 they hit the bull's-eye. An employee at Fazio Mechanical Services fell for one of their phishing attacks by opening an attachment on an unsolicited email enabling another piece of spyware, Citadel, a password-stealing Trojan, to infect Fazio's IT network.3 Fazio Mechanical Services had an impressive client list of major US retailers in and around Pennsylvania, providing them with refrigeration and heating, ventilation, and air-conditioning (HVAC) systems, servicing their cold stores for frozen foods, and managing the energy usage and temperatures of large retail outlets. Fazio had access into the IT networks of its customers to enable it to monitor, troubleshoot, and control their refrigeration plants and HVAC systems.

Most significantly of all, the Fazio customer list included stores belonging to Target Corporation, a major discount store operator and second only to Walmart in US retail size. Target operated 1793 stores across 47 states in 2013, and had revenues of $72.5 billion.

1.1.5 Installing the Malware

Using their password-stealing Trojan, the Rescator team was able to obtain the credentials of the Fazio operators who routinely logged in through the firewall of Target Corporation into its IT network to monitor the Target refrigeration and HVAC systems. During the Thanksgiving holiday in November 2013 when most of the company was closed, they used these access codes to log in to the Target IT network and install their RAM-scraping malware on a few point-of-sale systems in Target stores. They took a couple of days to check that it worked, carried out systems checks, and waited to see if it would be detected. The Kaptoxa malware was sophisticated enough to be invisible to some of the best anti-malware systems in use at that time. Target was running 40 different commercial anti-malware tools, sweeping its networks and point-of-sale systems, and looking for any software that matched suspicious signatures. None of the systems identified the Kaptoxa installations as malicious.4

When the Rescator team found that their software had succeeded in evading the anti-malware sweeps, they returned and overnight pushed their malware to as many of Target's point-of-sale systems as they could reach.

1.1.6 Harvesting the Data

The pre-holiday season was indeed busy. Shoppers flocked into Target stores for their holiday gifts, appliances, and supplies. In a period from November 27, to December 15, 2013, the Kaptoxa malware on the point-of-sale systems in Target stores across the United States captured the details of transactions from 40 million debit and credit cards. An additional overlapping customer database that contained names and addresses of 70 million people was also stolen. It was the largest cache of credit card data that had ever been stolen.

The Kaptoxa malware cached the data it was stealing locally at each point-of-sale terminal. Every seven hours it checked the local time, and if it was between 10 a.m. and 5 p.m. it would send the data over the busy network traffic to an internal host on a compromised server inside the Target network. From there, the Rescator team used a series of remote file transfer protocol (FTP) transfers to retrieve the intercepted information, amounting to around 11 Gb of data. The stolen data transfers went to a number of ‘drop’ locations – servers in Russia, the United States, and Brazil that the Rescator gang controlled.5 These were computers in unsuspecting organizations that had also been hacked, giving the gang the ability to store the data there temporarily before moving the data on to a destination source, and masking their tracks.

1.1.7 Selling the Stolen Data

The gang moved quickly, trying to sell the stolen credit card details before the hack was discovered. They made the data available on their own marketplace website, as well as auction sites on the dark web and black market private dealerships. They sorted the stolen cards into categories, offering them for sale in blocks, such as ‘Tortuga’ and ‘Barbarossa’. These were bought by other black market fraudsters to create new counterfeit cards mainly for use in shopping in stores for items than could be easily resold, classifying them by ZIP code to enable the fraudsters to shop locally like the real card owner to lessen suspicion. These card details contained full transaction information and verification details and were offered for prices around $20. They also offered non-US cards, chip-and-PIN (Europay, MasterCard, Visa [known as EMV cards]), and platinum or premium cards that were sold at higher prices, up to $120.6

1.1.8 Buy Back and Discovery

The sites where credit card information is offered for sale are routinely monitored by fraud detection officers from the card companies and major banks. It is a poorly-kept secret that the banks themselves buy back some of the card details on offer to take them off the black market and protect their cardholders. Banks may in fact be some of the best customers of credit card hackers. Around December 15, the bankers who were buying back their cardholders' details noticed that large volumes of new credit card details were appearing on the black market, with one thing in common – they had all made a purchase at Target in the past few days. They called Target. Some of them also spoke off the record to a cyber security journalist, Brian Krebs, who may have broken the news story on his blog on December 18.7 Target's forensic teams and their security consultants identified and removed the malware from the infected point-of-sale systems in a few hours, and began a full internal systems security audit and investigation. The investigation took many weeks to complete.

1.1.9 Disclosure

Target Corporation made a formal announcement of the data breach on December 19, 2013, saying that the matter was under investigation and that Target was now working with law enforcement authorities and financial institutions.8 US state regulations for the protection of personal data require companies that have a data breach to disclose it publicly and promptly, and to take steps to notify the individuals whose personal data has been compromised. Target's website providing information about the breach, and its customer service hotlines, became overloaded as the company began to assist customers with questions about whether they might have been compromised and what to do about it. Target had to hire additional customer service personnel to deal with the surge in worried calls.

1.1.10 Customer Management

The first question of any of Target's customers is ‘Was my card information stolen?’ Not all of the point-of-sale terminals had been infected, and it wasn't initially clear how long the interceptions had been going on. The forensics to understand the extent, duration, and transactions that might have been compromised took several days to unravel. Target worked with banks to have millions of compromised cards stopped and reissued.

Customers' main fears in response to having their card and personal details stolen are that their cards could be used in fraudulent payments, that they could lose money from their bank accounts, and that their own credit histories and ratings could be impacted. Target offered credit monitoring for a year to each person whose details were stolen. There is also a potential for a secondary fraud, where a criminal armed with the stolen personal details contacts individuals and tricks them into false payments or more disclosures. Target offered advice to counter secondary fraud, including changing account passwords and insisting on ring-backs for unsolicited phone calls.

1.1.11 Target's Costs

Target's direct costs from the breach reached over $200 million, and took several years to accrue. In 2015, Target paid out $40 million to banks and credit unions that lost money, paid out to buy back card data, or incurred further loss resulting from the data breach.9 A consumer class action was settled at $10 million to establish a fund for victims of the data breach, with individual customers able to claim up to $10,000 if they could provide satisfactory evidence of their losses and costs incurred. Victims were also allowed to apply for up to two hours of their ‘lost time’, billable at $10 per hour. Allowable costs include reimbursed charges on their credit cards, fees for hiring a professional to correct a credit report, late and declined payment fees, and other costs incurred as a consequence of the breach.10

Target came to a $18.5 million collective settlement for the regulatory fines with the state attorney generals in the 47 states where it had stores in 2017, the largest payout being $1.4 million for California, with 7.7 million affected Target customers. An additional component of the regulatory settlement ensured that Target implemented a comprehensive information security program, overseen by an independent, qualified third party, and employed a chief information security officer, reporting to the chief executive and board.

1.1.12 Strategic Impacts on Target Corporation

The data breach had additional consequences for Target Corporation. The chief executive resigned in May 2014, following the chief information officer in March. Profits for the quarter following the breach dropped by 46%, and contributed to a reduced profit for the year.11 The damage to the company's reputation caused a reduction in visits to its stores. Target attempted to offset this with a 10% discount offer immediately after the breach, but customer confidence was not easily restored, and Target continued to struggle for some months. Consequential costs of the impact on Target's revenues in the year that followed the breach are harder to gauge, but some estimates suggest it could have been between $1 billion and $2 billion, more than five times the direct costs and between 1.4% and 2.8% of Target's annual revenue.

Share prices dropped several times in response to various stages of disclosure about the breach, initially falling 11% in the weeks after the breach, recovering around 7% with a comforting financial outlook reporting in the following quarter of 2014, and falling again with various settlements and payouts as they were resolved over the following years. Some analysts see the data breach as having undermined confidence in the company's strategic direction, as it tries to promote in-store experience to compete with e-commerce retailers.

1.1.13 And the Rescator Team?

Nobody was ever caught or prosecuted for the Target cyber hack. Two petty criminals were caught in possession of 112 derived fraudulent credit cards, but to date none of the perpetrators. Target Corporation was not the only victim of point-of-sale malware during the holiday period of 2013. Neiman Marcus and three other retailers reported credit card intercepts. The illegal marketplaces, including Rescator's own marketplace, where the stolen credit cards were offered for sale, were abandoned shortly after the publicity broke. It is difficult to know how much money the Rescator gang made from the operation. A conservative estimate might be $50 million: a long way from the $2 billion it cost Target. The Rescator gang, named for a mysterious pirate, has vanished with its treasure, back to the seven seas.

1.1.14 Fallout

The consequences of the Target data breach have been profound. Point-of-sale systems have been largely redesigned, and the key vulnerability has been addressed. It is no longer acceptable practice to have point-of-sale systems accessible through the same IT network as HVAC controls and other general activities accessed by a broader, less secure community. Data encryption practices have become more widespread, and verification processes have become more secure. Hacks like these have accelerated the take-up of chip-and-PIN (EMV) credit card technology in many countries of the world, which cuts card-related theft by up to 70%. It is highly unlikely that a cyber hack using the same exploits and techniques as the Target data breach will be seen again.

But it doesn't mean that new techniques won't be used to carry out a similar scale of cyber attack in the future.

1.2 A MODERN SCOURGE

1.2.1 Types of Cyber Losses

The Target Corporation data breach in 2013 was a high-profile cyber attack that caused a variety of losses and business impacts on one of the largest companies in the United States. However, it was only one of many successful cyber attacks that year; 2013 was a record year for data exfiltration events in the United States. There were 31 reported breaches that year where a US company lost a data set of a million personal records or more, and over 640 US companies reported a loss of more than a thousand personal data records.

Historically, 2013 looks to have been a peak year for the number of US data breach events, as US companies have improved their data security, and incident rates have dropped in the years since. However, all over the rest of the world, the number of data exfiltration incidences has been steadily increasing – the types and severities of attacks seen in the United States since 2005 are now occurring in many other countries.

Data exfiltration attacks are only one of the ways that cyber attacks cause loss to individual organizations and to society as a whole. Most organizations of any significant size report having to deal frequently with cyber incidents of many different types – attempted attacks, probes, phishing approaches, suspicious software detection, unusual network traffic. Sometimes these result in a ‘cyber loss’ – the organization is compromised in some way and incurs costs through payouts or business disruption. Of course even dealing with attempted attacks has a business cost (which we will come back to later), but in general we refer to a ‘loss’ as being a cyber incident that results in an organization having a significant unexpected financial payout or an episode of business disruption that prevents the generation of expected revenues. The next chapter describes and defines the losses that can be caused by the various types of cyber incidents, including data exfiltration, so costly to Target, as well as contagious malware, extortion, financial thefts, denial of service attacks, failures of networks, and outages of providers. We also try to define the range of severities of these different types of loss, and a threshold of severity that we might consider as significant, which we use to define ‘loss’ incidents in this book. In our third chapter we describe the loss processes that can occur from cyber attacks to physical systems and devices.

1.2.2 The Direct Payout Costs of a Cyber Attack

A cyber attack that succeeds in penetrating the defenses of an organization can cause losses in various ways. As illustrated in the example of the data exfiltration attack on Target Corporation, the $200 million in direct costs consisted of losses from several different sources.

A company suffering a cyber attack can expect to incur direct payout costs in a number of different areas, depending on the type of attack and the magnitude and characteristics of the attack. Costs of different types of attack are described in more detail in Chapter 2. Types of direct payout costs include:

The response and forensics costs of the IT security team, both internal personnel and typically involving external consultants, that has to diagnose what happened as quickly as possible and render the system safe from further exploitation. New technology, equipment, software, and systems may need to be purchased to remedy vulnerabilities.

Compensation for people whose personal data is compromised, including costs of notification, managing their enquiries and providing customer support, providing credit watch services, and payouts for any losses these individuals may suffer.

Fines that may be imposed by regulators.

Legal costs to defend any litigation that might be brought against the company, including the costs of settling the action or losing the case and paying damages or even punitive awards.

Losses from the theft of financial assets – currency, transfers, trading value – which is the motivation behind many attacks.

1.2.3 Operational Disruption Causing Loss of Revenue

Costs are also incurred to the affected company from the disruption to business operations resulting from the attack, particularly lost revenues from commercial activities that are unable to be performed. Operational disruption can last for several hours or days and affect many parts of an organization. Surveys of corporate security executives show that breaches impact more than a third of a company's systems in around 40% of cases and more than half of systems in 15% of cases. They disable operational activity, including revenue generation, for more than 9 hours in 35% of cases and for durations of 24 hours or more in 9% of cases.12 Operational disablement of systems can result in revenue loss to many different business processes, and each organization is different. Losses can occur from suspending customer purchasing activities, such as e-commerce or point-of-sale technologies; provision of services, such as hosting applications; fulfillment of orders; manufacturing or creation of products for sale; and interruption of the business process supply chain. These losses of revenue that can be directly attributed to the interruption of systems caused by the cyber attack are often included in direct costs estimates of a cyber attack.

1.2.4 Consequential Business Losses from a Cyber Attack

The consequential business losses from a data breach can be more severe than the direct costs. The company's reputation is damaged. Senior executives resign. Customers lose trust and transfer their business elsewhere. Revenues dip, and market share is lost to competitors. Studies show typical churn rates of around 7% of a company's customers after a data breach, and 31% of consumers have discontinued a relationship with an organization that has suffered a data breach.13 Around a third of companies that experience a breach have reportedly suffered revenue loss, around 12% reported losses greater than 20% of their annual revenue, and just over 1% lost more than 80% of their annual revenue.14 These companies also reported customer desertion and significant losses in business opportunities as a result of the breach.

Companies that suffer a costly cyber attack typically see their stock prices marked down.15 Analysis of historical cases shows that companies see their share prices reduced by an average of 5% after a data breach attack.16 Stock price reductions can be short term while the market waits to see how the company will be affected, but in cases where the consequences prejudice the organization's business model or long-term profitability, investors can mark them down significantly and for a long period.

A major cyber attack can cause a company to have its credit ratings downgraded.17 Companies seen as a credit risk lose suppliers as well as customers, and find it more expensive to borrow capital and fund their cash flow. Credit rating downgrades indicate to the public that a company is in distress, and can hasten a company's decline and threaten its viability.

These combined effects have meant that some companies have declared bankruptcy following cyber attacks.18 Companies that have had their intellectual property (IP) stolen have found themselves outcompeted in the market, leading to their long-term failure.19

The viability of a company can also be threatened in other ways if the consequences of the attack are severe enough. There have been cases where class-action litigations brought against a company for its data breach liabilities far exceed the capital valuation of the company.20 Companies have been devalued in merger and acquisition negotiations because they suffered data breaches.21 The impact of experiencing a data breach can go far beyond the direct costs, and can impact the brand, the reputation, and the viability of the company itself.

1.2.5 Cyber Attack Economic Multipliers

Finally, the effects are not isolated to the individual organization that is attacked. The consequences are also felt by the company's suppliers and trading partners, investors, financiers, and other counterparties. They in turn sell less to the affected company and reduce their revenues, or they lose part of their investment value, loans returns, or earnings. Companies are part of a network of commerce, and the failure or reduction in performance by one company has consequential effects on others. Economists term this the multiplier effect, or ‘financial spillover’. Cyber attacks have a clear multiplier effect on the economy as a whole.

In an analysis that the authors published in 2014, we assessed the economic multipliers of cyber attacks by tracking the connectivity of companies in the global economy.22

Figure 1.1 shows a network diagram of around a thousand of the largest enterprises in the global economy, sized by their annual revenue, with the trading relationships between them shown by the thickness of the line, and the direction of payment flowing counterclockwise. The reduction in annual revenues of any of these large corporations has a consequential effect in reducing their requirement from their suppliers and curtailing their ability to purchase from trading partners. Fluctuations in quarterly reported revenue (from whatever cause) affect trading partners when change exceeds around 10% of expected annual revenue, with greater increases having disproportionately larger effects on their counterparties. The number of trading partners and the depth of trading relationships influence how these impacts spread through the trade network. For a medium-to-large company losing around 20% of its annual revenue (something that occurs in around 12% of data breach cases), we estimate the economic multiplier to be around 1.6 – i.e. the suppliers and customers collectively lose an additional total of 1.6 times the losses that the company itself loses in a cyber attack.

FIGURE 1.1 Trading interconnectivity of major companies in the global economy. Cyber losses can cascade through the economy to create a multiplier effect for economic costs. Oracle, a market-leading provider of databases, is highlighted to illustrate an example of the key role played by providers of information technology in the global economy.

Source: CCRS (2014a).

For example, if a company with a $1 billion turnover suffered a data exfiltration event of 20 million personal records, it would face direct costs of around $50 billion, combined with consequential business costs by subsequently losing around 20% of annual revenue ($200 million), and its suppliers and counterparties suffering collective losses of 1.6 times this ($320 million). The total cost of this example of a single data breach on the overall economy is $570 million, more than 10 times the direct costs. Fully recognizing the economic costs of cyber attacks is important in assessing the value of measures to reduce cyber risk.

The economic multiplier increases if several companies suffer losses at the same time. If several of the impacted companies share a supplier, then they may all reduce their volume of orders to that supplier and cumulatively inflict a large enough loss to the supplier to cause it to have financial difficulties, with knock-on effects to its own suppliers and trading partners. This cascade of effects through the economy is known as a systemic shock. This is what makes cyber catastrophes such a concern.

1.3 CYBER CATASTROPHES

A cyber catastrophe is an event that causes substantial losses to many organizations. For many years people have predicted a ‘cyber 9/11’, a ‘cyber Pearl Harbor’, or a ‘cyber Black Swan’. These predictions identify the issue of the potential for strategic surprise from an unexpectedly large cyber catastrophe.

We define a cyber catastrophe as a cyber incident (a criminal campaign, a malware attack, or a major malfunction) that results in significant direct costs and consequential business losses to many (more than 10, but could be many thousands) multinational or very large premier organizations, or very many (more than a thousand) small and medium-size enterprises.23 In addition to being a shock event, a cyber catastrophe can also be a general trend of slow losses and reduced economic revenues.

1.3.1 NotPetya and WannaCry Cyber Catastrophes

NotPetya and WannaCryptor malware attacks are profiled in more detail in the next chapter. These are examples of cyber catastrophes at the relatively low end of the potential magnitude scale.

The NotPetya virus release in June 2017 penetrated at least 8,000 computer networks, infecting many hundreds of thousands of individual devices, in organizations across 65 countries. More than 300 public companies declared losses to their quarterly results as a result of their infections from NotPetya, several reporting losses of hundreds of millions of dollars. The direct and consequential business losses to the infected organizations is estimated to have exceeded $10 billion.24

The WannaCry ransomware attack in May 2017 was more widespread, but less severe overall. It caused more than 300,000 infections, mainly smaller businesses, but the impact did disrupt the operations of some major organizations, including healthcare providers whose patients were put at risk. The combined losses to the infected businesses are estimated to have been several billion dollars.25

1.3.2 Near-miss Cyber Catastrophes

These events and others in recent history demonstrate that cyber catastrophes have the potential to disrupt many businesses worldwide simultaneously. In fact, these recent events can be seen as ‘near misses’. They were bad-enough events, but could have been even more severe with only minor changes in the way they occurred. Our counterfactual analysis of the WannaCry timeline, described in more detail in the next chapter, suggests that the WannaCry event could have been many multiples of its actual cost if it had occurred three months earlier and had not included a kill switch in its software design.

There have been several other cyber events that had the potential to become truly systemic, and to inflict widespread disruption and business losses on thousands of organizations. These might be considered as early warning indicators of potential cyber catastrophes. They include:

A cyber heist operation on banks by penetrating the Society for Worldwide Interbank Financial Telecommunication (SWIFT) financial transaction system impacted more than a dozen national and international banks (August 2016), resulting in the theft of $81 million, but the theft of a billion dollars was attempted and narrowly thwarted. The heist compromised a secure ‘network of trust’: the SWIFT financial system, used by 11,000 banks, any or all of which could potentially have been robbed.

A distributed denial of service (DDoS) attack on Dyn, a provider of

Domain Name System

(

DNS

) and internet optimization services (October 2016), caused disruption to thousands of its internet service company customers in Europe and North America. The attacks caused service losses of several hours during a single day to many leading e-commerce businesses. It highlighted the vulnerability of DNS infrastructure supporting the digital economy, and indicates the potential for cyber catastrophes to disrupt global e-commerce.

An outage of

the Amazon Web Services

(

AWS

) Simple Storage Service (S3) for five hours affected 148,000 websites and nearly a quarter of all AWS cloud users (March 2017).

Cloud service provider

s (

CSP

s) like AWS, Google Cloud Platform, Microsoft Azure, and IBM Bluemix tend to have very low failure rates, but the dependency of so many businesses on these leading CSPs means that if there were to be a failure then there is potential for a CSP outage to disrupt many thousands of cloud-reliant businesses.

The release of stolen

National Security Agency

(

NSA

) and Central Intelligence Agency (CIA) cyber toolkits by a cyber hacking group calling themselves

ShadowBrokers

was a game changer by making highly professional cyber weaponry available to less skilled amateur hackers (August 2016 and April 2017). The releases included 15 ‘zero day’ exploits for common software in use, and 24 other tools. The toolkit provided the keys to unlock the firewalls of 30% of all global corporations. These exploits were incorporated into the malware of

NotPetya

and

WannaCry

, but also illustrates how tools could suddenly become available to bypass the apparently impenetrable security systems operated by most of the major international companies.

A security bug in widely used open-source database MongoDB meant that ransomware

Harak1r1

was able to access data in ‘tens of thousands’ of MongoDB installations and deny them access until payments were made (January 2017). ‘Many’ MongoDB servers were reported extorted. This raises the specter of industry-standard software in use by large numbers of organizations suddenly failing or causing losses simultaneously as a result of an internal software bug or vulnerability.

There has not yet been a truly catastrophic cyber event that has cost the economy hundreds of billions of dollars. It is human nature to dismiss possible dangers before an event has actually occurred. But there are reasons to believe that future cyber events are possible that could inflict individual costs of hundreds of millions or even billions of dollars to thousands of major businesses, and inflict crippling losses on large numbers of small and medium-size enterprises. These events, described in the following section and illustrated in Figure 1.2, would have a heavy impact on the economy and on society in general. The likelihood of a future societal catastrophe from cyber attacks is one of the strongest justifications for taking more action to solve cyber risk.

FIGURE 1.2 Global cyber risk: likelihood of loss occurring from cyber attacks. Source: Authors (2018).

1.3.3 Is Cyber Threat Systemic?

The concept of cyber threat having the ability to scale up to cause systemic losses to thousands of organizations, with potential to cause catastrophic consequences for our society and our economy, is better accepted now, but the recognition of this potential is relatively recent. This led people to assume that cyber threat is predominantly characterized by separate loss events at individual organizations, and is limited in its ability to propagate more broadly. Only a few years ago there was still debate about whether the emerging threat from cyber risk is truly systemic, and the extent to which cyber risk could scale.26

Part of the authors' research has been assessing the risk of extreme events for regulators, governments, insurance companies, and corporations.

1.3.4 Potential Cyber Catastrophes

There are several ways in which cyber catastrophes could occur. We have developed plausible scenarios that are used as stress tests by organizations in their cyber protection planning. In the next chapter we include a ‘severe but plausible’ cyber catastrophe scenario for each of the cyber loss mechanisms described. It is possible that next year could see the number and severity of data exfiltration incidents increase by an order of magnitude, as a result of a concerted campaign by criminals armed with a new toolkit of exploits to penetrate the security systems of multiple multinational companies.27 Another potential cyber catastrophe scenario is a contagious ransomware virus that achieves infection rates much higher than anything previously seen, and is both destructive and disruptive to business activities across large numbers of organizations, of all sizes and nationalities.28 It is possible that denial of service attacks could increase in volume and intensity and target major e-commerce platforms to immobilize many of them for much longer than has been achieved before.29 A major cloud service provider could suffer an outage on a scale and duration that exceeds anything previously recorded, causing hundreds of thousands of its customers difficulties in sustaining their cloud-dependent business activities.30 Industrial control systems could be hacked, damaging and disabling manufacturing and processing operations in large numbers of plants.31

For each of these, the analysis considers the practical constraints of attack vectors, the capabilities of attackers, how many organizations could potentially be impacted, and what limits there might be to the severity of the consequences. In each case there are typically factors that constrain the number of organizations that a potential cyber loss process might impact. For example, to penetrate a large number of companies, a ‘zero day’ exploit operates on a particular software system, so only the companies operating that software system would potentially be affected by that exploit. The market share of industry-standard software systems becomes a determinant constraint on the number of organizations that might be affected. Other constraints include the expected response by the security community to detect, protect, and respond quickly to limit the extent of the impact of any event.

These scenarios estimate the numbers of affected operations and loss costs across the population of organizations in an economy such as the United States. Although large numbers of small and medium-size organizations are affected in these scenarios, the main driver of cost to the economy is the impact on large and premier companies. Scenarios where 15–20% of large companies are impacted are feasible in several of the loss processes. It is possible to envision extreme scenarios where as many as 50% of large companies could be hit, under pessimistic assumptions about the resources and skills available to the attackers, and how different defense and response strategies by the community of security specialists might play out. These scenarios result in direct loss and operational disruption costs to the population of US businesses of many tens, and in some extreme cases hundreds, of billions of dollars. These catastrophe scenarios would not be confined geographically to the United States. Similar losses could be expected in companies affected in other developed economies, including Europe, Australasia, India, China, Japan, and Southeast Asian markets. The direct costs would be exceeded by the consequential losses of earnings to these businesses, and as noted earlier, by the multipliers on the economic impact from their effects on suppliers and customers and the economic trading network.

1.3.5 Cyber Catastrophes Could Impact Infrastructure

There is even greater potential economic impact from cyber catastrophe scenarios that target key components of the infrastructure, rather than the organizations themselves. We have analyzed scenarios where cyber attacks could disable the power supply in different countries. In 2014 and 2015 when we published these analyses, the idea that foreign agents could potentially attack the power supplies in another country appeared far-fetched, until cyber attacks on the Ukraine power grid in December 2015 left 80,000 people without electricity.32

A potential cyber attack could damage and disable multiple power generators in the United States electricity grid. The US grid is compartmentalized into interconnected regions, and the spinning reserve capacity needs to be depleted before cascading failure can occur. A cyber attack that used known vulnerabilities to damage 50 generators in the most populous Northeastern region of the United States could result in loss of power to 90 million people, with reconnection for most of them taking a day or two, but full restoration taking between two and four weeks.33 This results in disruption to businesses in the region, most significantly on the commercial and industrial sectors that are most reliant on power for their business activities. We estimate the total economic impact of such an event at between $243 billion and, under extreme pessimistic assumptions, over a trillion dollars of lost output from the US economy.

A similar analysis of a future cyber attack on the power distribution system of the United Kingdom, a much smaller country and economy and with a different type of power grid architecture, produces a regional power supply outage that affects between 9 million and 13 million electricity customers.34 The knock-on effects include disruption to transportation, digital communications, and water services. The attack results in an estimated loss of between $70 billion and $628 billion to the UK economy.

These scenarios demonstrate that cyber attacks on infrastructure have the potential to generate very substantial shocks to the economies of the countries attacked, and are among some of the most severe consequences of cyber risk to our society.

1.3.6 Could a Cyber Catastrophe Trigger a Financial Crisis?

Cyber attacks and technology errors could potentially trigger a future financial crisis. Flash crashes have been seen on trading exchanges as a result of trading algorithm malfunctions, cryptocurrencies have been hacked and destabilized, and major financial trading systems have been cyber attacked and plundered. There are genuine fears that a future cyber attack or cyber-enabled fraud could trigger a confidence crisis in the markets that would spread through the financial system and result in a worldwide financial crisis with severe negative impacts on the global economy.35 Others disagree, arguing that the financial system is resilient to shocks of this type.36 Even a small financial crisis can wipe hundreds of billions of dollars of value off the market capitalization of listed companies, and can result in reduced output from national economies for years.37 If a major cyber attack succeeded in stealing from large numbers of financial services companies and caused a crisis of confidence by investors in their banks or the values of their financial assets, then the ensuing financial crisis could be more costly and disruptive to society than many other types of cyber incidents.

1.3.7 The ‘Cyber Catastrophe’ of Tech Aversion

One of the worst outcomes from high levels of continued cyber losses or severe cyber catastrophes is the possibility that the general public might lose confidence in information technology, and distrust its ability to deliver benefits that are greater than its risks of security breaches. Surveys of consumers show