A cyber attack scenario where hackers targeted a U.S. hydroelectric dam causing significant property damage through flooding, could clearly result in losses flowing through to the insurance-linked securities (ILS) market thanks to so-called silent cyber exposure.
Insurance and reinsurance broking specialist Aon worked with Guidewire Software’s Cyence Risk Analytics team to develop a scenario that clearly shows how silent cyber exposures can impact property portfolios of insurance and reinsurance.
As a result, the scenario also clearly demonstrates how such an event could cause significant losses to ILS funds that are backing reinsurance programs exposed to the losses caused by silent cyber events.
The scenario in question involves a hypothetical hacking attack on a U.S. hydroelectric dam, as the hacker seeks to cause significant disruption in the U.S. by opening the flood gates.
Such an event would severely impact any businesses and homeowners in the path of the flood waters that were released, creating losses for insurance policies and as a result exposure for reinsurance and ILS capital providers.
The pair note that with over 90,000 dams in the U.S., that provide irrigation, hydroelectric power, flood control, and recreation, . While technology and automation improve dam safety and operation, they also create new risks.
Should such a scenario of a hack attack on a dams floodgates occur, it would cause significant downstream flood related damages, which the firms say would result in ‘silent cyber’ losses for insurers.
Silent cyber risk is the potential for cyber perils to trigger losses on traditional insurance and reinsurance policies, the pair explain, such as property or casualty covers where protection against cyber risk itself is unintentional or un-priced.
Aon and Guidewire looked at three scenarios, for different dams with increasing levels of exposure and found that in the case of the dam with the largest exposure, such an event could cause a huge $56 billion economic loss.
From such an event the pair model that the insurance industry could face a loss of as much as $10 billion, which would trigger reinsurance protection for many of the affected insurers and hence some of the losses would likely flow to the capital markets through ILS funds and collateralized structures.
Aon explained that, “Generally, affected insurers would have protection from their reinsurers in these scenarios. Property reinsurance treaties provide for direct physical loss—which in these scenarios occurs as a result of a cyberattack.”
Importantly, the exposure to reinsurance capital would not just be through private market insurers programs, it’s also likely through the National Flood Insurance Program (NFIP) in the most extreme dam hacking scenarios.
In fact, in the scenario leading to the $10 billion industry loss, reinsurers would be exposed to losses from the NFIP’s reinsurance program.
That also means that the NFIP’s flood catastrophe bond could potentially be triggered by such a loss event (although it would require a particularly severe event we’d imagine) demonstrating that silent cyber exposure can also impact the cat bond market, under extreme circumstances.
Jonathan Laux, Head of Cyber Analytics for Aon’s Reinsurance Solutions business, said, “Insurers must consider how changing technologies can cause ‘established’ perils such as flood to morph into new risks, with resulting changes to frequency and severity. By using scenarios such as this one, insurers have the ability to stress test their portfolios against new and emerging perils created by cyber risk. With that knowledge, insurers can take steps to mitigate risk, through reinsurance as well as working with businesses to increase their resilience.”
Matt Honea, Director of Cyber at Guidewire, added, “We face a huge challenge today, securing not only all laptops and phones, but all network connected devices. These connected devices are automating human tasks by powering more equipment and processing systems. We bring focus to these dam scenarios to highlight concrete examples of an extreme cyber event.”
It’s also worth noting that in some scenarios the level of uninsured losses would be significant as well, with as little as 12% of the loss actually covered by insurance.