Analysis by predictive cyber risk modelling firm Kovrr has warned of the potential for a multi-billion dollar loss to the re/insurance industry stemming from a recently discovered vulnerability in the IoT operating system of a major security company.
Kovrr modelled two scenarios in which attackers exploit the URGENT/11 exposure in VxWorks, which is embedded in over 2 billion devices worldwide.
The first, which looked at a hacktivist sabotage attack on a global car manufacturer in the US, estimated that insured losses could reach $7.3 billion, assuming the company had sufficient coverage to absorb the full costs of the attack.
In the second scenario, Kovrr modelled how a malicious attack exploiting URGENT/11 vulnerabilities could cause a widespread ransomware attack that results in partial business interruption for 700 US manufacturers.
In this case, analysis suggested that economic losses could reach $18.7 billion, of which $13.0 billion would likely be covered by the re/insurance industry.
Kovrr noted that the vulnerabilities found in VxWorks are a clear example of how a single point of failure, such as a common operating system, can lead to a large loss or systemic cyber catastrophe.
“As the volume of cyber attacks continues to grow, it’s important for (re)insurers to understand the potential impact that these emerging threats can have on their portfolios as soon as they are made known,” said Shalom Bublil, Chief Risk Officer at Kovrr.
“The recent Capital One breach is a great example of the manner in which cyber risk could cause the insurance industry to suffer painful losses,” he explained.
“The team at Kovrr is focused on helping underwriting and exposure management professionals make better decisions by delivering actionable data to support the quantification of potentially large and catastrophic cyber loss events.”
The report concluded that risk and exposure managers must be equipped with the capability to predict and price new emerging cyber risks on-demand, both for affirmative and silent cyber risks.
Similarly, in order to avoid being overly exposed, re/insurers must have the ability to quickly determine a portfolio’s exposure to newly introduced vulnerabilities, it suggested.