Blog

Is the Insurance Industry Facing a Cyber-Cat? Thousands of Websites at Risk to Heartbleed Bug

Craig Beattie
Insurance Experts' Forum, April 10, 2014

Is the insurance industry facing a Cyber-Cat? Thousands of websites at risk to Heartbleed bug. No no – I’m not referring to an animated cat on an App but rather the announcement yesterday regarding the Heartbleed bug affecting the security of over 50 percent of the Internet according to some estimates.

The bug affects the OpenSSL package and is believed to have been in the package since 2011. It affects the way the package deals with heart beat messages, hence the moniker given to the bug. There are already tools in use that exploit the bug and provide access to recent user data on compromised servers.

Also see Demand for Cybersecurity Professionals Spiking 

There have been security alerts before with many large brands facing fines and media inquiries about their losses but this bug potentially affects hundreds of thousands of websites and many businesses globally, but why characterise this as a catastrophe and why would insurers be interested?

In the last 2 to 3 years with the cost of data breaches growing significantly businesses have been offsetting the risk of a breach or loss through Cyber Liability Insurance Covers. Whilst the practice and cover is arguably in it’s infancy it’s popularity suggests that this sort of event could constitute a significant liability to insurers globally offering this cover. Further the event has some characteristics in common with other events requiring catastrophe response:

  • Many insured are at risk.
  • The event will likely draw the attention of governments and regulators.
  • Swift response will mitigate further loss.

There are some significant differences here though. Most notably in the event of hail, storm or flooding the insured are likely aware if their assets are affected or not – they may not know the extent of the loss but are likely aware if they need to claim. Increasingly risk aggregation and modelling tools are helping carriers and brokers understand the likely impact of catastrophe events. In this case however the insured may not be aware if they are compromised or not since the bug allowed for intrusions that would not be logged by the affected systems. In this case the advice is to determine if OpenSSL is used and if so then the server has been vulnerable, may have been compromised and should be patched immediately.

The full statement regarding the bug is available at http://heartbleed.com/ although it is also covered athttp://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/ which contains some useful advice. Further coverage is available from Reuters and The Guardian.

As noted on heartbleed.com – Apache and NGinx webservers are known to typically use the OpenSSL library and account for 66% of the Internet according to Netcraft’s April 2014 Web Server Survey.

Google says that it is not affected however Yahoo has already reported that they are working to fix the affected services on their side.

As always communication and collaboration is crucial to managing these events. Insurer clients of Celent may like to read Celent’s case study combining internal and external data to respond to a catastrophe.

This blog has been reprinted with permission from Celent.

Craig Beattie is an analyst in Celent's insurance group, and can be reached at cbeattie@celent.com.

Readers are encouraged to respond to Craig using the “Add Your Comments” box below.

The opinions posted in this blog do not necessarily reflect those of Insurance Networking News or SourceMedia.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

The Good, The Bad and The Ugly Of Enterprise BI

When IT can't deliver, business users build their own applications focusing on agility, flexibility and reaction times.

The IT-Savvy 10%

IBM survey reveals best practices of IT leaders.

The Software-Defined Health Insurer: Radical But Realistic?

Can a tech startup digitally assemble the pieces of a comprehensive, employer-provided health plan?

Data Governance in Insurance Carriers

As the insurance industry moves into a more data-centric world, data governance becomes more critical for ensuring the data is consistent, reliable and usable for analysis.

Fear This

Just days before this Issue, which contains our security cover story, went to press, we got some interesting news: 1.2 billion unique usernames and passwords and 542 million email addresses were reportedly stolen from 420,000 websites, according to The New York Times. The websites ranged from Fortune 500 companies down to small online retailers.

Should You Back Up Enterprise Data to the Cloud?

Six questions that need to be asked before signing on with an outside service.