On June 5, 2014, new OpenSSL vulnerabilities were announced, including one vulnerability that permits man-in-the-middle attacks and another that allows attackers to run arbitrary code on vulnerable devices. These vulnerabilities, along with the previously-discovered Heartbleed bug, show that technological solutions alone may not eliminate cyber risk.
In the same week these vulnerabilities were announced, a filing by the U.S. Department of Justice described the damage caused by one version of sophisticated malware. The Department of Justice estimates that the GameOver Zeus malware has infected between 500,000 and 1,000,000 computers and so far caused “direct and indirect losses to consumers and businesses exceeding $100 million.” Antivirus software alone does not always prevent such infection; a leading antivirus developer recently stated that, as a result of advances in malicious code, antivirus software is now “dead.”
With technology capable of providing only partial security solutions, a proactive approach to address cyber risk should include evaluation of risk transfer mechanisms, such as insurance.