'Systemic Risks' and Cyber Insurance | The dark underbelly of pig butchering scams
#162 - Is it possible to model cyber risks? | Asian Crime Syndicates use AI and DeepFakes to steal money
Cyber Risk Accumulation models
Insurers and Reinsurers need dependable models for cyber accumulation. This collaboration is an attempt.
This piece is not about the cybersecurity industry, but about an offshoot. The cyber insurance industry. Long time followers would know that I talk about cyber insurance often.
When an insurance company provides you a policy, it adds that ‘risk’ to its portfolio of policies. It has thousands of policies in its portfolio for a particular insurance product. The company then worries about something known as ‘systemic risk’
A systemic risk is a risk that affects a large number of policies that an insurer has written. Imagine, for a minute, that the CrowdStrike outage was a payable risk for an insurer. If an insurer had, hypothetically, all policies where the insured is using CrowdStrike. All policies would come up for payment. This is called a systemic risk.
Understanding system risk in cyber is difficult. Three insurance companies took up the gauntlet and collaborated to create a model for systemic risk. The paper provides a detailed approach and models synthetic data. The model talks of 4 types of risks that accumulate on an insurance book.
These are the 4 risks:
Common Cause - using the same hardware, software or communication tool. For example, a Windows vulnerability will impact a large portion of an insurers portfolio.
Shared service risk - shared cloud, etc. For example, If AWS were down, many cloud first companies might get impacted.
Operational dependency - disruption in one org causes others to be affected - like electricity grid failure. For example, CrowdStrike
Shared trust and confidence risks - over reliance on the trust that data and processes are accurate and reliable. I am not very clear on this type of risk.
The paper takes malware attack as the scenario to model and hopes that the user would extrapolate for other risks.
Take Action:
For Cyber Underwriters - This is a start for modelling your cyber portfolio. You will have to tweak your proposal forms to include some questions that will help you model these risks.
For Cybersecurity Professionals - This is a document that provides you with a detailed understanding of how insurers think. If you are on the path to cyber risk quantification, this can be a good addition to your document list to understand how to quantify complex scenarios and risks.
Pig Butchering Scam Factory
Access to Gen AI tools have made access to technology easy for Asian Crime Syndicates
I wrote about pig butchering scams a while back.
Pig Butchering scams are fancy social engineering attacks. Here is an ironical GenAI definition of pig butchering scams:
Pig butchering scams (or Sha Zhu Pan scams) are a type of financial fraud that combines romance scams and investment fraud. The term refers to how scammers "fatten" the victim with trust and emotional manipulation before "butchering" them by stealing large sums of money.
If you have been added to a group chat on WhatsApp where all the group members have made more than 300% profit, you have already heard of this scam.
The UN Office in Drugs and Crime thinks this a big problem. It has released a report on these scams. While heinous themselves, there is a huge element of cyber fraud that the victims are forced to perpetrate. Look at the top right of the image below. People are tricked into committing cyber fraud.
Take Action:
Pig Butchering Scams require manual labour. It requires people to build relationships and trust and then run the scam. Crime syndicates get this labour using various means. The more people fall for it, the more the need for such kind of labour.
While most of us are not in a position to actively help the forced labour, we can reduce the need for this by spreading awareness about pig butchering scams. The lesser the number of people falling for such a crime, the lesser the forced labour and the lesser the human trafficking. It has a direct impact. Make sure you include detailed training on pig butchering in your company. Do it pro bono in your circle of influence.
I have to say, I don't generally find myself thinking that I'd like to learn more about insurance (even when it's the cyber insurance flavor) :) - but the section on it here was clear an interesting. Thanks for sharing.