As the digital threat landscape evolves, the potential for physical damage, bodily injury, and business interruption stemming from cyber attacks seems ever more likely, and the insurance industry sees a real need to develop risk management solutions that will protect its clients.
Beyond Data
Experts expect cyber risk to grow beyond the threat of loss of data in 2015, in an expansion that will test existing property insurance policies, many of which are silent on whether cyber is an excluded peril for physical damage, and call upon the business community to seriously consider the security of their systems. To date, there have reportedly been only two incidents of cyber attacks that have resulted in physical damage – an incident at a German steel mill, revealed in the German’s information security bureau’s annual report, and a 2008 deployment of a virus, Stuxnet, that damaged Iran’s critical infrastructure. However, insurers, governments, and some industries are examining not just what has happened, but what could potentially happen.
“The big picture is, cyber risk has definitely broadened out beyond data privacy and security,” said Robert Hartwig, president of the Insurance Information Institute (III) told Advisen. “There’s a bit of a time bomb there, waiting to happen. The threat is there, the losses just haven’t been played out yet.”
According to Hartwig, the risk of damage to equipment, property, supply chains and more assets has created concern among businesses that is “quickly approaching, from a risk management perspective, the same level of concern that companies have for natural disaster risks.”
Underwriting the risk presents obstacles for insurers. John Pescatore, vice president of emerging trends at the SANS Institute, told Advisen that even security researchers have difficulty predicting the likelihood of loss beyond data.
“Part of the difficulty is that we can do penetration testing, and say, “I captured this bank of credit card numbers.’ We can’t really say, ‘Oh, look, I destroyed that nuclear power plant,’” he said.
Where the coverage is
The insurance marketplace currently offers three options for insuring against cyber-related physical damage. Most cyber insurance policies focus on data loss and coverage for breach notification. However, AIG, AEGIS, and Lloyd’s of London offer coverage for physical loss caused by cyber attacks. AIG’s product includes both first- and third-party coverage and wraps around existing policies as a difference in conditions (DIC) offering. AEGIS’ is similar, while Lloyd’s syndicates can access a stand-alone option.
Ben Beeson, broker with Lockton, commented, “Physical damage is a huge challenge, but a huge opportunity for us in this industry. We’ve got to do a better job in helping our clients understand these risks and be honest with them and candid.”
At the unnamed German steel mill, officials reported, a spear phishing scam last year allowed hackers to access the mill’s system, preventing a blast furnace from shutting down in the appropriate manner. The scheme caused “massive damage” to the mill – the type of damage that, if it were caused by non-cyber equipment failure, operator error, or a fire, would typically be covered under a property insurance policy. And many insureds may not realize that their traditional property insurance might not cover this type of loss. On the other hand, a lack of clarity on many property policies could mean that cyber-related physical damages should be covered.
READ OUR FOLLOW UP: The insurer’s perspective on cyber-related physical damage
“Frankly, there should be massive demand for this. It’s a risk that exists,” said Beeson. “But the industry is not helping itself, because the traditional property-casualty insurers are not stepping up and saying, ‘Yes we cover this,’ or ‘No, we don’t.’ They don’t want to lose business.”
Once losses of this type begin to occur – and security and insurance observers have no doubt they will — the distinctions should become quite clear. Much as litigation tested commercial general liability policies for coverage of cyber events, property policies are next in line, particularly if they do not contain specific cyber exclusions.
“The market has got to start coming clean,” said Beeson, adding that brokers also need to “convince clients that it needs to be addressed in a specific solution and we need to get there quicker than we are now.”
According to Hartwig, insureds are already becoming aware that they could need a separate solution, and as the awareness grows, the insurance market will.
“The increasing interdependence and increasing dependence on digital transactions is simply going to drive demand for this product as far as the eye can see,” he said.
Learn by Doing
Pescatore of the SANS Institute told Advisen that underwriting for cyber-related physical damage would depend heavily on insurers’ ability to verify the systems security of their clients, performing the equivalent of a due diligence exam of defenses.
“They can issue insurance for a physical disaster for a building,” he said, who previously worked with an insurer that determined it didn’t have the data to properly underwrite this type of cyber insurance. “In software, there’s no such thing as building codes. The real issue is how strong the software is. Almost no — or close to zero — software comes with a warranty and that’s not changing rapidly. I can tell you a bridge will fall down if a certain truck weighing a certain amount drives over it. I can’t tell you if an attack on a system will cause physical damage.”
Hartwig noted that this is a “new frontier” and insurers are “moving forward in a tentative and in a limited way.” He expressed confidence the market would find its way, driven by heightened interest from boards of directors and C-suite executives needing to demonstrate they have protected their organizations.
“They’ll learn by doing, as they always have,” Hartwig said, citing the development of the aviation market nearly a century ago. “I do think you’ll see it develop at Internet-speed.”
Beeson said collaboration is needed between insurers, brokers, reinsurers, and security consultants to develop the market in the future. More capacity is a must, he added, for cyber-related physical damage coverage to take off.
“We as an industry have got to get to $1 billion and fast,” said Beeson. “We have to make sure we are stepping up and remaining relevant as an industry to the clients we serve. This is a huge opportunity for us in the industry. We’ve just got to get together to make it happen.”