Cybersecurity is One Thing, but Figuring Out Where Insurance Fits into the Big Picture is Not So Simple These Days
There was a period of time not too long ago when insurers had an easier time deciding on how much protection a manufacturing operation needed. It was all very cut and dried.
Add today’s cybersecurity issues on top of the physical plant, and insurers are no doubt pulling out their hair because they just don’t know what to do. That is why cyber-physical attacks on critical infrastructure that have the potential to damage physical assets and cause widespread losses are keeping insurers wide awake at night.
A cyber-physical attack on critical infrastructure occurs when a hacker gains access to a computer system that operates equipment in a manufacturing plant, oil pipeline, a refinery, an electric generating plant, or the like and is able to control the operations of that equipment to damage assets or other property.
A major cyber-physical attack on critical infrastructure is a risk not only for the owners and operators of those assets, but also for their suppliers, customers, businesses and persons in the vicinity of the attacked asset, and any person or entity that may be adversely affected by it (e.g., hospital patients and shareholders).
Because damages caused by a cyber-physical attack can be widespread, massive, and highly correlated, affecting multiple sectors of the economy and many lines of insurance, the insurance industry is giving this risk heightened attention.
The UK insurance marketplace Lloyd’s, London and the University of Cambridge, for example, conducted a major study of the losses resulting from a hypothetical cyber-physical attack on 50 electrical generators in the Northeast U.S. Other insurance market participants have also published reports addressing cyber-physical risks to critical infrastructure. The insurance industry’s focus on cyber-physical risks perhaps should be action-guiding for corporate policyholders as well.
Two Major Attacks
To date, there have been only two major publicized cyber-physical attacks. The first was the use, in 2008 through 2010, of the Stuxnet virus to destroy approximately 20 percent of Iran’s centrifuges used to make nuclear materials. Stuxnet, as ISSSource reported was a joint effort between the U.S. and Israel to slow down or stop Iran’s nuclear program, damaged centrifuges at the Natanz nuclear facility in Iran by causing them to spin out of control while the operators thought everything was running normally.
In the second attack, in late 2014, hackers gained access to the computers of a German steel mill through a minor support system for environmental control. The attack led to the destruction of a blast furnace in the steel mill. German authorities did not allow the publication of many details of the attack, but they did describe the resulting damage as “massive.”
Several attacks on critical infrastructure did not result in property damage beyond the infected computers themselves, but apparently only because of fortuitous events or the narrow goals of the attackers.
Some cases of such attacks include:
• An attack on the Ukraine power grid in December 2015. This was a multistage, multisite attack that disconnected seven 110 kV and three 35 kV substations and resulted in a power outage for 80,000 people for three hours. The attackers’ point of entry – a phishing scam.
• In 2014 the “Energetic Bear” virus was in over 1,000 energy firms in 84 countries. This virus was for industrial espionage and, because it infected industrial control systems in the affected facilities, it could have damaged those facilities, including wind turbines, strategic gas pipeline pressurization and transfer stations, LNG port facilities, and electric generation power plants. It has been suggested that a nation-state “pre-positioned attack tools to disrupt national scale gas suppliers.”
• A small flood control dam 20 miles north of New York City ended up hacked in 2013. The attacker would have been able to control the sluices but for their being taken off-line for maintenance. One report suggested the attackers intended to hack a dam of the same name in Oregon many times the size of the New York dam.
• Last November hackers destroyed thousands of computers at six Saudi Arabian organizations, including those in the energy, manufacturing, and aviation industries. The attack was aimed at stealing data and planting viruses; it also wiped the computers so they were unable to reboot. This attack was similar to a 2012 attack on Saudi Aramco, the world’s largest oil company, which destroyed 35,000 computers.
These are not isolated incidents.
The scope of the cyber risk to critical infrastructure is multiplied when those view cyber not as a discrete risk, but as “being an enabling and amplifying factor for existing categories of risk.” If the non-cyber risk of fire or explosion at an oil refinery is X, then including in the risk calculation the probability of that fire or explosion being caused by a cyberattack leads to a risk of multiples of X.
Insurers in cyber insurance markets are struggling to find the appropriate multiple of X for cyber-physical risks in circumstances of too little reliable cyber-risk relevant information. For U.S.-based risks, the difficulty stems in part from too little publicly available, reliable information on the number, types, severity, and scope of cyberattacks on critical infrastructure. Corporate victims generally do not publicly disclose cyber-physical attacks. Similarly, the U.S. Department of Homeland Security does not publicly disclose successful cyber attacks on critical U.S. infrastructure. That leaves insurers assessing risk from other sources whose information may be inaccurate or incomplete.
In addition to too little information, market participants point to three attributes of cyber-physical risk that present difficult challenges for the pricing and underwriting of cyber policies. First, cyber risks present systemic exposure – a cyber-physical attack can cause widespread and highly correlated harm across broad geographical areas and multiple sectors of the economy. The Lloyd’s study estimated a cyber-physical attack on 50 generators in the U.S. Northeast could cut power to 93 million people and result in $243 billion to $1 trillion in economic losses, and $21 billion to $71 billion in insurance claims. For comparison, Super Storm Sandy in 2012 resulted in approximately $100 billion in damages and the U.S. GDP in 2015 was just under $18 trillion.
Cyberattacks are “intangible” in the sense the perpetrators often remain anonymous and an attack can go undetected for months. Undetected malware and viruses may be in computers controlling a piece of infrastructure right now. Assessing the random probability of loss, the traditional core task of underwriters, in the face of “unknown unknowns” is a challenge.
The risk is dynamic. The types of attacks, their targets, and the nature of the attackers (nation-states, terrorists, hacktivists, criminals, the teenager next door) and their motivations (espionage/sabotage, political goals, financial gain, curiosity/malice) are constantly evolving. There are virtually unlimited avenues by which such attacks can end up mounted, including phishing scams, “watering hole” scams, the infection of industrial control systems software in the development stages (one of the methods employed by the Energetic Bear hackers), an attack on Internet Exchange Points that form the interfaces between different computer networks, the millions of unsecured and unencrypted devices that are part of the Internet of Things, and the actions of rogue employees.
These underwriting challenges are also risk-assessment and risk-management challenges for corporate boards of directors and risk managers.
This is especially so when these challenges have had a direct impact on cyber insurance markets. The general consensus in the insurance industry is cyber-physical risk is underinsured. The Lloyd’s study said the estimated insurance claims from the hypothetical attack on the electric power generators are less than 10 percent of the estimated damages. This underinsurance of cyber-physical risk is the result of prevalent exclusions for bodily injury and property damage resulting from a cyber incident found in most first-party and third-party cyber insurance policies.
For corporate policyholders that own or operate critical infrastructure, managing cyber-physical risks in this insurance environment may require greater creativity than normal.
The use of a captive insurer, for example, may be an attractive way to self-insure the first layer of cyber-physical risk. Some insurers are selling primary layer wrap policies intended to cover property damage losses excluded under most primary layer cyber policies. Difference-in-conditions excess policies that drop down to provide property damage coverage excluded in the underlying policy are also being marketed by certain insurers. Finally, because cyber insurance typically is negotiable, policyholders may attempt to negotiate terms that eliminate altogether or minimize the scope of exclusions for property damage or bodily injury caused by a cyber attack. London-market Form NMA 2915, for example, provides coverage for physical damage to property directly caused by fire or explosion if the fire or explosion itself ended up caused by a cyber event such as the loss or destruction of electronic data or a computer virus.
For corporate policyholders that do not own or operate any critical infrastructure but whose operations are critically dependent upon it – virtually the rest of the corporate community – a major cyber-physical attack on critical infrastructure may have profound adverse financial impacts.
Consider a cyber-physical attack in which the attacker uses its operational control of a piece of critical infrastructure to cause that facility to explode or catch fire. The resulting property damage, personal injuries, and economic losses could be enormous. The potential defendants in the resulting class actions could well include: The owner of the infrastructure, the operator, the directors and officers of the corporations (in shareholder derivative actions), the manufacturers of the digital devices through which the attack was made, developers of the control system software, developers of the security software providing firewalls and malware protection, and any other designer of those devices. Third-party general liability coverage and other liability coverages (such as E&O and D&O coverages) with adequate limits may be essential to the financial health of any defendant.
Stream of Losses
Independent of the exposure represented by potential litigation, which implicates third-party liability coverage, a corporate policyholder upstream or downstream of attacked critical infrastructure will want coverage for its first-party losses.
Those losses may include property damage, economic losses from interruption of its business or the businesses of its vendors, environmental damages, the extra expenses incurred to minimize business interruption losses, and loss of data.
Accordingly, a policyholder who does not own infrastructure but who may be affected by a cyber-physical attack on it will want to have in place adequate and unambiguous first-party coverage for property damage, business interruption, contingent business interruption, and extra expense.
New and heightened cyber-physical risks merit increased policyholder attentiveness to both traditional (not-cyber-specific) first-party property and third-party liability coverages previously believed to be relatively routine and to the terms of cyber insurance policies under consideration or already purchased.
This is especially the case when Lloyd’s itself said first-party property coverages “are commonly silent on whether cyber-related losses would be paid,” and this is likely to lead to coverage disputes. Lloyd’s has further noted “key areas of uncertainty and ambiguity” in the scope of coverage for cyber-physical losses. The risk of a cyber-physical attack on critical infrastructure extends broadly across the economy. Corporate policyholders may find it prudent to review carefully their traditional first-party and third-party coverages and their cyber coverage in light of this evolving and dynamic risk.