The meteoric rise in cyber criminality, combined with the rapid transformation of the geopolitical landscape, means that insurers and reinsurers now need to broaden their collective thinking over what constitutes a physical catastrophe.
As part of an effort to manage the potential for systemic cyber losses, they also need to redouble their efforts to eliminate so-called ‘silent cyber’ risk.
Not so long ago, the old definition of a catastrophe referred to an infrequent event that causes severe loss, injury and/or property damage to a large population of exposures. It would usually be associated with natural events like windstorms or floods.
Man-made disasters such as explosions, pollution or nuclear fallout could also lead to concentrated insurance losses. But now there’s a third dimension that insurers need to consider: cyber catastrophe.
While the world is yet to experience a truly catastrophic cyber-physical attack from either criminals or hostile states, the potential impacts could be significant, crippling entire systems and societies, according to a new report from the insurance and reinsurance marketplace Lloyd’s*.
To date, cyberattacks have mostly targeted the availability, confidentiality or integrity of data rather than causing operational, environmental or material damage.
The most destructive attack in recent years was the NotPetya ransomware sting in 2017. Attributed to Russian military hacking groups, it targeted global corporations and caused an estimated $10bn in damages.
But the physical threat is growing, with attacks aimed at critical infrastructure rising from less than 10 in 2013 to almost 400 in 2020, according to theLloyd’s report.
Physical damage scenarios
The report outlines three hypothetical but plausible scenarios involving politically motivated cyberattacks intended to cause physical damage. Placed in a climate of increased tension, the risk of such a major attack affecting physical systems, national infrastructure and the global economy hasbecome far more likely, according to Lloyd’s.
The analysis outlines the potential impacts on businesses and the insurance industry of an asymmetric attack exchange, where a rudimentary cyber power sponsors non-state ransomware attacks by cybercriminals targeting another nation’s critical infrastructure.
Another imagines an offensive cyber retaliation where regional tensions over nuclear development programmes spill over into cyber-physical sabotage of critical infrastructure.
Finally, a symmetric attack exchange sees two sophisticated cyber superpowers engage in an escalation of destructive cyberattacks on critical infrastructure.
The physical cyber threats, leading to catastrophic manmade disaster losses, that could arise from such scenarios are many and varied, according to the report’s authors. They mostly relate to targeting energy infrastructure with the aim of causing fires and disruption, including weaponising lithiumion battery management systems or fuel sources such as pipelines.
Attacks on industrial machinery, turbines, generators or transformers could see the internal momentum or heating of a machine compromised to cause an explosion. It has happened before at a German steel mill in 2014 and with the Stuxnet worm that blew nuclear processing facilities apart in Iran in 2010.
Critical infrastructure outages
Other scenarios rehearsed in the Lloyd’s report include an attacker gaining remote access to an internal automotive network and compromising safety-critical electronic control units; widespread flooding caused by overriding pumps and flow management systems, rendering them either dangerous or unusable; a cyberattack that causes a power outage shutting down key national infrastructure such as the emergency services, communications, healthcare or other systems.
The simple fact that organisations are digitising at an accelerating rate, including converging IT with operational technology (OT) and leveraging cloud and industrial Internet of Things technologies, has multiplied the number of entry points into OT.
Lloyd’s scenarios are intended as useful tools for insurers looking to assess the potential upper limits for shock loss events stemming from cyberattacks. Importantly, its analysis will also serve insurers aiming to monitor product coverages across classes for their relevance to cyber-physical peril.
But Lloyd’s stresses that silent – or non-affirmative – cyber exposure still has the potential to aggregate losses significantly because policies with no explicit exclusion, an implicit coverage grant, or where language was ambiguous, could be triggered by losses. “This requires an active strategy to consider different potential cyber-physical scenarios, and where the losses may fall from these. As part of this, attaining coverage clarity across traditional classes is key,” the report states.
Ringfencing losses
London market insurer Beazley is already taking steps to ringfence its cyber catastrophe exposure. Earlier this year, Insurance Insider revealed that the carrier was developing a programme to clarify the provision of coverage in several specific cyber cat scenarios.
One of the scenarios is focused on the outage of a major cloud service provider, where a time clause of 72 hours would be applied and after which coverage would not be given.
Sources said Beazley would roll out the wordings in staged phases once complete. If insureds requested catastrophe coverage beyond that in the cyber policy, then the company would consider this on a case-by-case basis.
In a statement to Insurance Insider, Beazley’s Head of Global Cyber and Technology, Paul Bantick, says that the market needs to be scalable and has to evolve how it manages systemic risk.
“We [Beazley] currently model systemic risk scenarios and are comfortable with our exposure, but what we do need to do is think about how we attract more capital to the cyber insurance industry so we can grow the market and keep providing, into the future, the needed capacity to meet client demand.”
*’Shifting powers: physical cyber risk in a changing geopolitical landscape’ by Lloyd’s in association with the Centre for Risk Studies at the University of Cambridge’s Judge Business School.
