The growing threat of cyber terror events across the world has seen a concerted effort from governments and risk transfer counterparties to provide solutions. Among the challenges is the added complexity of physical damage from cyber terror events, according to industry experts.
The increased interconnectedness of the world today has resulted in a substantial rise of cyber attacks in recent years and, with terror attacks across many parts of the world intensifying also, the threat of cyber terror events is a growing reality.
Coverage for cyber attacks is in its infancy, but insurance, reinsurance, insurance-linked securities (ILS) players, and risk modellers are making a concerted effort to innovate and provide adequate solutions.
However, the far-reaching impact of cyber events and further complexities mean modelling and historical data is limited, and the general view among the market is that the risk needs to be better understood so that the cyber risk market can flourish.
One such complexity concerns the issue of physical damage as a result of a terror event, as underlined by Luca Albertini, the Chief Executive Officer (CEO) of insurance-linked investments specialists Leadenhall Capital Partners.
“The biggest question for terrorism and cyber will be on of definition. Let’s say a hacker opens the floodgates in the Netherlands causing widespread destruction. So the damage is property and life, the motivation is terrorism and the conduit is cyber. Which policy pays out?” said Albertini.
The limited data and modelling capacity of cyber terror events means that insurance and reinsurance providers are reluctant to offer large limits, and as highlighted by Albertini uncertainty surrounding which policy pays out under different scenarios is likely hindering growth and progression.
Cyber Underwriter and Beazley employee, Jimaan Sane, agreed that the cyber attack threat “is very real,” adding that as technology evolves in areas such as medicine, where equipment can be controlled remotely, the risks become ever more real and possible.
“As all these things become easier to do, and the level of sophistication of these attacks increases, you are going to have cyber events that either lead to damage of property or to bodily injury. Some people have tried to predict or model this or look at other events which happen at some frequency with some severity, such as hurricanes,” said Sane.
The potential damages and vast reach of a cyber terror event will grow as technology develops and, unlike natural disasters that repeat the same thing over and over, hackers are intellectual and have the ability to learn new systems, explained Sane.
This means cyber catastrophe events are likely to present unique difficulties for insurance and reinsurance capacity providers and each claim could be very different, depending on systems, or assets, involved and the level of security in place.
So far few cyber events have resulted in physical damage, but the expectation among these industry experts in a recent report on ILS and cyber from BNY Mellon, is that this is a growing threat, and a rising concern among governments and the risk transfer landscape.
Head of Cyber at AIG, Mark Camillo, commented on the physical damage aspect of a cyber terror event, citing the incidents at a German steel mill and Ukraine power grid in recent times.
“I vividly recall first having a discussion with an energy company that was concerned about this a few years ago. For the property risk, underwriters were sending out engineers to inspect the pipeline but there was not one single question being asked about cyber risk.
“The concern was that there would be some sort of cyber event causing physical damage and then a lack of clarity over whether that would be picked up by an insurance policy. The real purpose of introducing the CyberEdge policy two years ago was really to have that frank conversation. So that for those companies that wanted to make sure they had coverage in the event of bodily injury or property damage arising from a cyber event, they had an option,” said Camillo.
However, despite the solution being available for roughly two years, Camillo notes that interest has been pretty low, as most are seeking protection for the intangible loss, data loss etc., rather than the physical or bodily damage.
Products such as this are certainly a step in the right direction and could help raise awareness of the growing threat of physical damage, but the enormity of the task is sure to take a concerted effort from governments, insurers, reinsurers, and the ILS market.
Physical damage from cyber attack, to control systems, discrete electronically controlled parts of industrial and manufacturing complexes and in industries such as power or energy, are seen as key opportunities for the specialty insurance and reinsurance market, and are also seen as attractive by some ILS fund managers.
Discrete systems can perhaps be better understood and the risks associated with breach or penetration better modelled, with many now suggesting that a parametric trigger approach may be appropriate for these types of coverages.
However, the claims process is where confusion could reign and clarity is required, as defining what caused the physical damage or where a breach emanated from, and answering questions such as how long a system had been vulnerable for, all add uncertainty into the mix.
And uncertainty, when it comes to insurance or reinsurance contract claims, can lead to disputes. This is making some capacity providers reluctant to dive headlong into the world of cyber risk at this time.
Understanding the damages that can come from a cyber terror is challenging, but in time, and unfortunately likely assisted by lessons learned from future events, risk modeling and data will improve enabling new products to become available.
And as advances are made in understanding, modelling and measuring cyber risks, including for physical damage, the ability to increase clarity around claims and where the responsibility should lie for payouts will get easier.
However, it’s important to note that cyber risk will never be an easy line of business to enter as an insurance or reinsurance market, as technology is moving forwards so fast, threat profiles are changing rapidly and understanding the true extent of the risk will always be a significant challenge.