A three-hour shutdown of the New York Stock Exchange on the same day that a network failure halted all United Airlines flights in the U.S. had people across the country thinking one thing: cyber-attack.
It wasn’t, but the July 8 incidents were alarmingly close to the Armageddon scenario that Austin Berglas, a former Federal Bureau of Investigation agent, described in an interview last month, in which the Nasdaq exchange, the New York subway system and power provider Con Edison go offline at the same time.
Berglas, who started the FBI’s New York cybercrime unit in 2009 and worked on probes into a breach at JPMorgan Chase & Co. and the Silk Road drug market, joined corporate investigations company K2 Intelligence in April. The firm is partly owned by American International Group Inc., which is seeking to sell insurance policies for property and infrastructure damage caused by hackers and cyberterrorists.
“There’s going to be mass panic, people are going to think it’s a terrorist attack, people are going to think it’s another 9/11 event,” Berglas said. “You’re not only dealing with a cyber-incident, but now you have to get folks stranded in a subway in the middle of tubes, or people stuck in buildings.”
K2, founded by corporate investigators Jules Kroll and his son Jeremy, has been bulking up its cyber-response unit with former FBI agents. AIG, one of the first firms to offer insurance for property damage caused by hackers, is counting on Berglas’s team to investigate attacks on policyholders. It’s also asking K2 to provide data on threats to protect clients from events that could cost hundreds of millions of dollars.
“We’d like to aggregate that data to use for ourselves, but also to use for our clients so they know what industries are being targeted by what type of attackers, what the motivation is, if it’s on the rise,” said Tracie Grella, who oversees cybercoverage at AIG for clients including retailers, banks and energy companies.
Grella said AIG will offer coverage limits of as much as $100 million for property damage and $100 million in bodily injury caused by a cyber-attack. She predicts the market could balloon to $10 billion in annual premiums by 2020, compared with about $2 billion this year, as more companies buy policies. That’s still small compared with the more than $85 billion of premiums for homeowners’ policies sold in the U.S. last year.
Zurich Insurance Group AG and Munich Re say they are considering offering infrastructure-damage policies similar to AIG’s. None of the companies has signed a contract.
“We are listening to our customers, who tell us they are looking for larger limits -- some as high as $1 billion in coverage for cyber property damage and business interruption for larger corporate properties and facilities,” said Dan Riordan, chief executive officer of Zurich Global Corporate in North America. He wouldn’t say how much coverage Zurich might provide.
Since the first cyberpolicy was written in the late 1990s, insurers have been unwilling to provide coverage for all losses. Most firms are reluctant to offer policies for property damage resulting from hacking because there’s almost no data available to determine costs, according Tracy Dolin, an analyst at Standard & Poor’s. Insurers have been excluding infrastructure damage caused by cyber-attacks from standard property and general liability policies, said Kevin Kalinich, who leads the cyber-risk team at insurance broker Aon Plc.
Berglas, 43, who started working at the FBI in 1999 after a six-year stint in the military, is wiry and unassuming. During an interview at K2’s midtown Manhattan office, he used terms like DDoS attack, TTP and CISO -- that’s Distributed Denial of Service; Tactics, Techniques and Procedures; and chief information security officer. But he can describe nightmare scenarios to civilians in clear sound bites.
He began working on cybercrime at the FBI while investigating child exploitation over the Internet. After starting the New York team, he had several high-profile assignments, including overseeing last year’s probe of a network breach at JPMorgan that involved more than 70 million customers. Members of his 100-person team also seized control of Silk Road’s online drug market, leading to a life sentence for kingpin Ross William Ulbricht.
That experience is useful to AIG, which has fewer than 20 years of actuarial records to craft its cyber-offerings, compared with 50 to 100 years of data available to underwrite other forms of property or general liability insurance, Grella said. She first met Berglas about a year ago, when the FBI briefed AIG on global cyber-risks. She said she realized that the insurer and the government were seeing similar threats.
Berglas’s expertise is also of value to the Krolls, who have been seeking to expand their cybercrime prevention practice. Known for his on-the-ground detective work, such as locating the hidden assets of dictators Saddam Hussein and Ferdinand Marcos, Jules Kroll made his first foray into the field in the 1990s, when AIG owned a piece of his predecessor company, Kroll Inc. That firm was sold to insurance broker Marsh & McLennan Cos. for almost $2 billion in 2004. Five years later, the Krolls started K2.
In addition to Berglas, K2 has hired Milan Patel, a senior investigator in the FBI’s cyber division who worked with the White House to improve security for critical infrastructure, and Joseph Lawlor, who specialized in state-sponsored intrusions, especially from China.
“What’s changing every day is the threat,” Jeremy Kroll said. “Guess what the bad guys are up to? They’re up to new technologies and tools.”
Out of about 100 cyber-attacks assessed by the U.S. Department of Homeland Security last year, incidents in the energy industry more than doubled to 43 events.
“It’s a very 21st century exposure,” said Robert Rosenzweig, a national cyberpractice leader at risk-strategy firm DeWitt Stern. “Property was previously for a natural peril, water, whatever.”
To quantify potential property damage from a cyber-attack, Lloyd’s of London and Cambridge University modeled a scenario that blacked out parts of the northeastern U.S. for several weeks. The study, released this month, found $1 trillion in property damage, higher death rates and crippled infrastructure.
The largest cyberpolicy is about $500 million and is provided by multiple insurers, according to AIG’s Grella. Most companies have far less. Target Corp.’s policy covered about $90 million, which left the retailer with $162 million of uninsured legal, business-interruption and network-restoration costs from a 2013 breach, S&P estimated in a June report.
The 2002 Terrorism Risk Insurance Act provides a temporary federal backstop for certain losses from certified acts of terrorism. Insurance industry groups are discussing asking Congress for similar legislation that would cover costs from major cyber-attacks, according to Adam Hamm, North Dakota’s commissioner of insurance who represents regulators on the U.S. Financial Stability Oversight Council.
“The industry is saying, ‘We’re not willing to have unlimited exposure here,’” Hamm said.
K2 isn’t the only firm helping insurers prepare for a cyber-attack. Berglas is vying with companies such as Verizon Communications Inc., which offers malware detection and security consulting, and FireEye Inc.’s Mandiant, which advised on a breach at Sony Corp. last year. Mandiant has hired more than 100 former government officials since 2013.
While the former FBI agents have provided a wake-up call with their apocalyptic scenarios, Berglas and his team know there are events companies can’t prepare for. That’s where AIG can help, said Bob Brenner, K2’s global head of cyberdefense services and a former federal prosecutor.
“It’s pretty clear you can’t mitigate all risks,” Brenner said. “There’s a role for insurance for offloading a certain portion of that risk that can’t be protected overall, so that people can feel comfortable that they are going to continue to exist, even if there is a significant event.”