Cyberattacks still make headlines even as they become more regular. One reason is that the damage from an attack extends beyond inflicting serious reputational and financial damage. A new generation of ransomware like WannaCry and Not Petya, growing evidence of nation-state cyberattacks, and the targeting of connected devices that are automating critical systems, have shown how cyberattacks can disrupt physical operations and services.
The effect of attacks on a specific organisation’s infrastructure overall cannot be minimised. They can range from the disruption of ATM systems, pumping systems for water and gas, power supplies, to access to essential digital services that support everything from shopping to surgery.
Remediating these kinds of disruptions has exposed the issue of silent cyber in the insurance policies used by enterprises and other organisations. When an organisation has claimed for physical damage caused by a cyberattack that has incapacitated or destroyed essential systems, they have found these losses are not covered because cyber is not written into their main property policies.
Insurance policies can be silent on many things. For example, insurance contracts are neither affirmative or negative on whether an organisation is covered for a Martian invasion, or whether a sperm whale will smash down on top of your building’s roof.
Joking about fantastical threats aside, silence in insurance contracts can be bad for both the insured and the insurer because risks that have not been articulated are likely to be either unpriced and/or unprotected.
If the contract is silent about the physical effects of a cyberattack, then the insured organisation could be rolling the dice on whether their claim is accepted or not. They may believe that because cyber is not explicitly excluded, they can claim on their main business insurance policy only to get push back from their insurer.
For the insurer, silence on cyber risks means they cannot be certain about what their ultimate exposures might be for a policy that includes a property within which there are connected computer systems running essential services that could be destroyed or severely disrupted by an attack. The risk for the insurer is that the coverage from property insurance policies is many times greater than those on cyber insurance policies.
Last year, we conducted an analysis of silent cyber risks with Aon, a leading global professional services firm that provides a broad range of risk, retirement, and health solutions.
Our study considered the scenario of a hypothetical attack by hackers on a U.S. hydroelectric dam, which could impact businesses and homeowners. The attack imagined how hackers opened the flood gates at a hydroelectric dam. If such a scenario were to occur it would be likely to cause significant downstream flood damages, resulting in silent cyber losses for insurers. Using computer models, the total insured losses of one dam being physically breached by a cyber attack were estimated at $10 billion. This is equivalent to the damage from the wind and sea surge associated with a hurricane.
Silent cyber is not a deliberate avoiding tactic by insurers, but its persistence does undermine the value proposition of insurers in helping customers have greater certainty about risks; and there could be repercussions from insurers selling products that are not relevant to customer needs.
The starting point for remedying silent cyber is to define cyber as a peril that like a severe storm or overflowing rivers can cause huge insured losses in the real world. Policy contracts need to be rewritten to be either affirmative or negative on coverage for cyber-related damage. This is not an easy task given how the contract wordings can vary greatly, but this is an essential step and one that many insurers are now undertaking.
Ending silent cyber is not a trivial matter. Rewriting policies needs to be accompanied by the development and availability of cyber insurance products that take account of physical insured losses. These might be part of re-imagined property insurance policies or as standalone cyber policies.
Insurers also need new tools to identify and understand risks that are more difficult to predict than established perils from weather, flood or fire risks. Stress testing their property insurance portfolios against new cyber-driven scenarios that damage critical physical infrastructure needs to be done more regularly. In addition, understanding the potential physical impact of cyber risks enables an insurer to work with customers to mitigate these risks through encouraging greater business resiliency or involving reinsurance partners.
Ultimately the goal of insurers must be to build up a much broader market for insuring against cyber losses. Insurers do not just want the high-risk cyberattack targets to buy cyber insurance but for all types of businesses and individuals to be protected. In this way, the industry can create a market that is large enough to absorb the risks even from a serious, critical national infrastructure attack.