There’s a new and broadening entry point for cyberattacks, and its name is IoT. Connected devices bring a plethora of exposures that will need to be insured one way or another – the question is, how? And it’s a question that demands an answer.
When a Minecraft botnet took down the Internet
Two years ago in Alaska, three college-age friends pleaded guilty to "masterminding an unprecedented botnet" which "unleashed sweeping attacks" on Internet services across the world, Wired reported.
They hadn't meant to. They were trying to win a game of Minecraft. But their actions incited one of the "biggest security scares of 2016," an election year, in which various unsecured IoT devices such as security cameras and wireless routers were infected by malware. Together, these devices formed a botnet named Mirai: a network of zombie computers executing distributed denial of service (DDoS) attacks on a global scale.
"The teens were using it to run a lucrative version of a then-common scheme in the online gaming world – a so-called booter service, geared toward helping individual gamers attack an opponent while fighting head-to-head, knocking them offline to defeat them," Wired said.
But gamers weren't the only ones getting knocked offline. The "self-replicating computer worm" they created quickly "enslaved some 600,000 devices around the world," paralyzing servers and applications by flooding them with network traffic. Mirai crushed the French hosting provider OVH, the website Krebs on Security (run by industry-leading security reporter Brian Krebs), and whole Internet of Liberia. Suffice it to say, the botnet "was an insane amount of firepower."
How did it manage to bend so many IoT devices to its will? Simple – their human owners had never changed the default security settings.
"Since most users rarely change default usernames or passwords, it quickly grew into a powerful assembly of weaponized electronics, almost all of which had been hijacked without their owners’ knowledge," Wired said.
Default passwords – simple fix, major problem
Every year, the Verizon RISK team investigates hundreds of security breaches and disseminates an annual report on its findings. Every year, default passwords prove the culprit behind countless, extremely costly incidents.
Here’s how it works. When a user purchases a connected device, per manufacturer instructions they're supposed to replace the default username and password with custom settings. If they don't, the device operates on its defaults – which are painfully easy to guess. For example, a default username might be "admin," and a default password might be "password." By not changing the defaults immediately, users turn their devices into sitting ducks.
In fact, changing a default password may be the most basic security safeguard possible. Yet every year, the RISK team traces multiple major breaches to a failure to do so. According to the team’s latest Data Breach Investigation Report, 2017 was no exception. Even major enterprises have been guilty of the same elementary security error – Equifax being a noteworthy example, as reported by CNBC.
The fact that preventing this particular vulnerability is such a quick fix becomes all the more cringeworthy when a breach leads to millions, even billions, of dollars of damages. And the fact that this continues to happen shows just how far we have to go in reducing cyber risk.
IoT exposures for homeowners and businesses
Which brings us to our next point. Hacking default passwords isn’t the only way in which connected devices can be exploited. It’s simply one of the most common vulnerabilities, paired with one of the easiest fixes. But cybercriminals are capable of much more sophisticated attacks, as well. Bottom line, cyber risk is widespread, its scope is vast, and it plays out on many levels.
Likewise, while the victims in the story above happened to include a journalist, a hosting provider, and an African country, these aren't the only possible victims of IoT exposures. There are many contexts where connected devices can be breached, and the damages that ensue can affect many parties: businesses as well as homeowners.
The FDA identified vulnerabilities in implantable cardiac devices from St. Jude Medical, through which a hacker could deplete the battery or administer incorrect pacing or shocks – interfering with the devices’ ability to monitor patients’ heart function and prevent heart attacks
The SecurView camera, which can be used for anything from home security to baby monitoring, had faulty software "that let anyone who obtained a camera's IP address to look through it – and sometimes listen as well"
Hacker Noon, meanwhile, raised concerns about other common IoT devices, including parental control systems, smart locks and mobile voice assistants.
How to insure these emerging risks?
When a connected device is attacked, it can harm more than just its owner. In the case of the zombie worm Mirai, connected devices belonging to parties around the world – from individuals to public or private entities – were taken advantage of without their knowledge. From an insurance perspective, questions fly fast on these heels:
If a person’s connected device is used to cause harm without their knowledge or consent, and it results in significant loss – either to them, or to a third party – who pays? Is the loss covered by the policyholder’s insurance, the device manufacturer’s, or some other policy?
Do homeowners’ policies need a cyber rider?
Do homeowners’ insurers subrogate against manufacturers?
At present, the industry doesn’t have answers to these questions. But it’s only a matter of time until insurers will be forced to face these questions head-on. Need an agile policy administration system to take your company into the future? Download our Policy Administration Buying Guide – Part 1 for ideas on how to select the right solution for your business.
The FedNat Insured Web is a great tool for our insureds!
They like having a centralized location to view policy info, make payments, upload policy documents, and elect to become paperless to receive a discount.
The insureds also can file a First Notice of Loss for a claim and access exiting claim info. Silvervine recently enhanced the site which allows insureds to upload policy documents directly to their policy. The uploaded docs go directly into our workflows and save a lot of manual effort on our part.
From my visits with agents, the agents appreciate the app for the amount of time saved on having to download and attach photos directly to the policy.
The app can also reduce the amount of staff required for a busy office to fulfill underwriting requests for photos.
When training agents they are amazed at how quickly the photos attach directly to the policy. After taking photos using the app and before they make it back to their desk, the photo is already attached to the policy. They also like the ability to attach additional photos for pre-existing damage.
Customer Service is seeing an improvement with retention as the text message definitely triggers phone calls from insureds to make payments.
The insureds love the fact that we notify them on their phones because they state that sometimes they don’t receive their mail for various reasons.
The insureds are paying more attention to the texts then to their actual mail. We try to set all of our customers up on that option if we notice that they are not currently enrolled, as it builds great customer relations as well as retention.
As a company we have adopted the use of Policy Scan for all our policies, and our agents have adopted the use of the app as well.
Not only is it easy to use, there is also no more worrying about losing photos, having to store photos or photos being attached to the wrong policy.
With Policy Scan we have increased efficiency in our workflow and reduced our exposure on the risk.
Silvervine’s core administration solutions easily handles multiple carriers within multiple states, including accounting, payment processing, immediate policy issuance and endorsements.
What started out writing one product, one line in one state has now grown into mulitple products, multiple lines and writing in multiple states. We have over $95 million in annualized premium in-force and we expect to grow by 20% during the next year all serviced by Silvervine.
Silvervine was our insurance software system of choice when we started the company in 2006. Silvervine enabled us to begin business within a few months of licensing the company. Today, we are one of the top 20 homeowner’s writers in Texas and SIlvervine’s solutions have been an integral part of our success.