When cyber gets physical

Need to know

• The growing number of connected devices and the ever increasing reliance on digital technologies mean cyber incidents can cause complex damages in the physical world
• Unlike data breaches, physical incidents don’t have to be disclosed, and are thus thought to be under-reported
• Claims caused by cyber are highly likely to be picked up on other policies
• Most cyber insurers cover intangible assets but some cover any losses resulting from a cyber event
• The PRA consultation on cyber will encourage insurers to assess the risks they are picking up

Recent events such as the Wanna Cry ransomware attack and British Airways’ computer outage have helped to drive sales of cyber insurance, but there are concerns that a significant part of the risk is being overlooked

Allianz Global Corporate & Specialty predicts the worldwide cyber insurance market could grow from $2bn (£1.5bn) today to more than$20bn (£15bn) in the next 10 years.

To date, cyber risk has focused primarily on the loss or unavailability of data and the business interruption and liability issues that could stem from this. But there is also the potential for physical damage as a result of a cyber attack or IT failure.

“We live in a hyper-connected world,” says Matthew Webb, group head of cyber at Hiscox. “There are already 10 billion devices connected to the internet, with this forecast to increase to 50 billion by 2020. Each of these could be a point for destructive malware to attack, with this potentially resulting in a significant amount of physical damage.”

Alongside this greater connectivity, the increasing use of technology puts many more organisations at risk. “Digital technology is used across the value chain from supply chain operations to smart buildings and production robotics,” explains Adam Peckman, global practice leader for the cyber risk consulting team at Aon. “This reliance on technology means the disruption and property damage from a cyber event are now much more complex and financially impactful.”

Getting physical

Reported cases of physical damage following a cyber incident are unusual, but there have been a few notable examples, including the Stuxnet malware attack on an Iranian nuclear plant and the recent damage to a blast furnace at a German steel mill.

What’s more, many believe these cases are only the tip of the iceberg. “Although there appears to be relatively few publicly known instances of physical damage resulting from cyber incidents, we believe they are occurring,” says Peter Johnson, cyber advisory leader at Marsh Risk Consulting. “Unlike data breach-related events, there is no mandatory disclosure requirement for physical incidents.”

It’s also highly likely that claims that were caused by cyber are being picked up on other policies, even though the insurer never meant to cover it. Sarah Stephens, head of cyber, content and new technology risks at JLT Specialty, believes part of the problem is the focus of claims. “In the event of a claim, the key priority is to get the business back up and running,” she explains. “Unless it’s obvious or there’s an investigation, no one will know whether a cyber event was the cause.”

As an example, a fire in an office building could be the result of a failure in the air conditioning, causing computers to overheat. However, while this could be a design fault, it could also be caused by someone hacking into the control systems and adjusting the settings.

Cyber market

The cyber insurance market is estimated at $2bn (£1.5bn) Its value is expected to be multiplied by 10 by 2025 Cyber crime costs the global economy$445bn (£345bn) a year

Annual cyber crime damages are expected to reach $6trn (£4.5trn) by 2021 2% of companies employ financial quantifications when assessing cyber risk The insurance industry has taken steps to highlight just how far cyber losses could spread. For example, in 2015, Lloyd’s and the University of Cambridge Centre for Risk Studies published a report, Business Blackout, exploring the insurance implications of a cyber attack on the US power grid. This found that insurers could face claims of between$21.4bn and \$71.1bn across numerous lines of business including property, casualty and life and health as well as cyber policies.

Insurance response

Given its relatively short history, insurers are taking a number of different approaches to underwriting cyber risk within other lines of business. Depending on the sector and the product, exclusions and sublimits are commonly used to manage exposure.

But, as a result of the soft market, there have been signs of some relaxation of these over the last couple of years. “It’s not always the case, but we’ve been able to get some of these exclusions deleted or pushed back to a softer form,” Stephens explains.

As an example, she says some policies have moved from a CL380 clause, which excludes cover for IT system attacks with the intent to cause harm, to NMA 2914 or NMA 2915 clauses. These include an element of property damage from the loss or damage of electronic data, providing it results from fire or explosion.

It’s also important to understand the position of the cyber insurers when it comes to physical damage. Unfortunately, Graeme Newman, chief innovation officer at CFC Underwriting, believes the cyber insurance market isn’t making the situation any simpler. “We’re at a bit of a fork in the road at the moment,” he explains. “While the majority of cyber insurers look to cover intangible assets, some are turning cyber into a single peril policy that will pick up any losses resulting from a cyber event. There’s a danger that it will get confusing.”

Examples of physical damage from cyber attacks

2000: Maroochy Shire Council, Australia

A former employee of Hunter Watertech, a company that installed industrial control systems, hacked into the IT systems, causing uncontrolled release of raw sewage into the environment.

2009/2010: Natanz nuclear plant, Iran

Probably the best known example of cyber-related physical damage, this saw the Stuxnet worm enter the IT network of one of Iran’s nuclear plants, Natanz. Once inside, it was able to reprogramme the software that controls the plants centrifuges, adjusting their operating speeds and ultimately destroying some of the machinery.

2013/2014: Unnamed steel mill, Germany

By using targeted emails and social engineering, hackers were able to steal passwords and take control of the steel mill’s IT system. This enabled them to adjust operations, causing parts of the plant to fail and resulting in massive damage when the blast furnace had to be shut down unexpectedly.

2015: Power grid, Ukraine

Hackers used malware to gain remote control of the Ukrainian power grid’s computer systems. This enabled them to flip circuit breakers and leave around 225,000 people without power. The supply was restored after a few hours, but employees were still having to use manual controls several months after the event.  Although no physical damage was reported, it demonstrates the vulnerability of systems and the potential issues that could arise.

Sources: AGCS; Center for Strategic and International Studies; Cybersecurity Ventures; and Aon

Those that have gone down this path argue that it provides better cover for clients. As an example, AIG offers affirmative cover which can sit above a property or casualty policy if a cyber restriction is in place. Similarly, its cyber insurance policyholders can take out a physical damage extension if they would like this additional cover. “We want to provide flexibility to our customers,” says Mark Camillo, head of cyber for Europe, Middle East and Africa at AIG. “This helps to ensure they know what is covered.”

But the availability of these different cover options could be creating greater confusion. As a result, Webb would like to see greater transparency around what is and isn’t covered when it comes to physical damage resulting from cyber. “If insurers don’t deal with this risk, there could be a shock,” he warns. “We don’t want to see post-event underwriting.”

This could result in years of litigation and, although insurers are well capitalised, the scale of the losses from cyber-related physical damage could be significant.

Understandably it’s a scenario the regulators are keen to avoid, with the Prudential Regulation Authority issuing a consultation paper on cyber insurance underwriting risk last November. Its thematic work, conducted between October 2015 and June 2016, found that, although silent cyber risk was material, most firms did not have adequate methods in place to quantify and manage it.

Subsequently it proposes that firms should be able to identify, quantify and manage the risks emanating from cyber underwriting for both affirmative and silent cover. Hans Allnutt, partner at DAC Beachcroft, says this is an important step. “It will force insurers to sit up and assess what cyber risk they are picking up,” he explains. “This will provide clients with greater contract certainty but it will also mean some will go against the market trend of simply adding cover in. We’re already seeing a number of the forward-thinking insurers setting up cyber expertise to ensure they are on top of this issue.”

But whether or not insurers choose to embrace or exclude cyber risk, the first step needs to be understanding their exposure. Tom Harvey, product manager at catastrophe risk modelling company RMS, explains: “Insurers need to identify where the risk lies and quantify it so, if it’s material, they can take steps to mitigate it.”

His firm can support insurers with this modelling, employing white hat hackers to test security and gain insight into vulnerabilities and how an attack could play out. “We look at extreme but plausible scenarios, showing how an attack could scale up to be a substantial catastrophe,” he adds.

There’s also more attention being paid to assessing an organisation’s approach to cyber security. As an example, to help it underwrite and price its cyber risk product, Brit works with data suppliers to understand an insured’s cyber effectiveness. Russell Kennedy, divisional director at Brit, explains: “They will scan the dark web to see what information is available that might compromise the insured’s cyber security. This gives us a good view of susceptibility and risk.”

Cover certainty

A better understanding of the risk is also likely to lead to a more standardised approach to insuring physical damage resulting from cyber. While some prefer a single peril approach, with any losses with a cyber trigger falling under a specific policy, others argue that it makes more sense to restrict cyber policies to covering intangible assets such as data.

Newman believes the second option is more logical, arguing that, from a claims perspective, the infrastructure is in place to deal with physical damage, regardless of the cause of the loss. “Insurers can’t write modern policies that don’t include cyber risks. It may be easier to slap an exclusion on but clients need us to step up and provide the cover they need.”

Helen Carpenter, liability and cyber portfolio leader at RSA, is also in favour of this approach, believing it better suits customers. However, she admits there are a number of issues that would need to be ironed out first. “The industry needs to consider how it approaches the reputational angle, as this isn’t something a property policy would pick up,” she explains. “Similarly, a cyber policy has a suite of response services such as IT forensics and crisis management to help a client deal with a cyber incident. It might be sensible to offer these for cyber-related physical damage.”

There are other challenges too. Camillo says it’s not always straightforward to allocate and underwrite the risk. As an example, he points to a directors’ and officers’ policy. On this, a claim could be brought against the directors on the grounds of corporate governance but the failing would relate to a cyber incident. “We’re still at the early stages of the Internet of Things but I can see a point where it will become difficult to draw the line between the physical and virtual worlds.”

The speed at which technology evolves means there are challenges ahead, but the pressing issue for the market is to understand the extent of cyber exposure and determine how it should be covered. Fortunately, with the regulators alive to these matters, some form of resolution is expected imminently.

And, although there are still plenty of unknowns around cyber, it’s also important to put the risk into perspective. “Cyber garners a lot of attention but it’s just another risk that companies face,” notes Johnson. “It can be handled the same way as any other, through effective risk management and insurance.”