An article on the Lloyd’s website notes that “industrial facilities from nuclear plants to dams are increasingly coming under attack from cyber terrorists bent on causing physical damage and disruption from behind their computer terminals. But with the insurance market yet to plug the gap between cyber and physical terrorism risk, the Lloyd’s market has a key role to play in finding the solution.”
The article points out that the “ability of hackers to wreak havoc on industrial facilities first became apparent when the Stuxnet virus – a worm speculated to have been created by the US and Israeli secret services to target Iran’s nuclear facilities – successfully started disrupting uranium enrichment at the Natanz nuclear station in Iran in 2010, before spreading to other facilities.”
Laila Khudairi, Underwriter – Enterprise Risk at Lloyd’s underwriter RJ Kiln & Co., explained that “Stuxnet was the first virus to create physical damage – it was purely electronic in its origin but caused actual explosions and meltdown, which hadn’t been seen before.” This has opened new opportunities for terrorists, as they no longer need to be physically in place to plant explosive devices or carry out armed attacks.
Rick Welsh, Head of Cyber Insurance at specialist utilities and energy industry insurer Aegis, believes cyber terrorists are not yet sophisticated or commercialized enough to successfully take down a major facility, but the use of malicious malware is rising year-on-year and Welsh is seeing an increasing number of cyber-attacks on industrial facilities.
He explained to Lloyd’s that – for the moment – “the risk is still in the low vulnerability but high threat quadrant, but that will be subject to change in the next year or two. We’ve been told of quite a few attacks that have been successful but the scope of the damage has been kept out of the press and downplayed. No-one wants to talk about it – particularly when it concerns critical infrastructure.”
Lloyd’s poses the question of whether or not the insurance industry can offer solutions to meet the threat from cyber terrorism. Despite government actions, including President Obama’s signing of an executive order entitled “Improving Critical Infrastructure Cyber security,” both Welsh and Khudairi “agree that despite the significant potential risk posed by cyber-attacks on critical industry, the insurance market does not yet offer a comprehensive solution,” Lloyd’s said.
“Cyber terrorism is addressed by the cyber market but the property damage element is not, so there is a gap in cover,” Khudairi explained. “The terrorism market excludes attacks electronic in nature, while the cyber market covers hackers breaking into systems and bringing networks down, but doesn’t cover that Stuxnet-type scenario.”
Welsh pointed out that brokers have little choice but to place their clients’ business through established silos of insurance, while plugging any gaps with supplementary cyber add-ons. “Our [utility and energy] clients don’t think like that,” he said. “For them, cyber risk is a central organizational risk, so they are asking why the insurance market can’t look at this more holistically. There are very few insurers able to do that.”
According to Welsh, the Lloyd’s market is expected to play a significant role in solving the problem. “Even in the US they are looking to London – and particularly Lloyd’s as a specialist market – for guidance as that’s what we’re known to be good at,” he said; adding that Aegis is currently working with clients to develop the kind of “holistic” products they require.
Khudairi also indicated that RJ Kiln is developing coverage for property damage as well as business interruption caused by cyber terrorism. However, she added that the capacity for these risks is still very limited, even in the Lloyd’s market. She said “Lloyds has to monitor its aggregate exposures, but will do whatever it can in order to meet demand.”
Welsh also noted that there is likely to be uncertainty over pricing physical cyber coverages, which will have to be probability-priced rather than actuarial due to the fact that these risks are so new. “Pricing has got to find its natural home, somewhere between property and cyber rates. For those that want more coverage, in this environment of unknowns they are going to have to pay more,” he said.
Khudairi and Welsh both observed that the level of awareness of cyber risks among critical industry operators is rising, but that the quality of risk mitigation varies significantly across the sector. “Some clients absolutely adopt cyber security risk management guidelines yet there are others who don’t really believe they have exposure, so rather than adopting cyber security best practice they buy as much insurance as they can and try to mitigate their exposure that way,” Welsh explained.
He believes one step lawmakers could take is to standardize cyber security on an industry basis. “The problem with operational security is that people aren’t sure what those standards should look like,” he admitted. “This is all still new.”
Source: Lloyd’s of London