All imaginary cyber catastrophes point to cyber-data sharing

By Chad Hemenway on July 8, 2015

 

A new report from Lloyd’s and the University of Cambridge’s Centre for Risk Studies is the result of a hypothetical, very unlikely but entirely possible scenario in which a cyberattack cuts power to much of the US Northeast.

Insurers would take a huge hit—an estimated $21.4 billion—which is just a fraction of the total loss to the US economy of about $243 billion. And those are numbers from the low end of loss ranges in the report.

Imagine cyber hackers inject some malware that goes undetected until one day when it looks to take control of electric generators, finding 50 that it can control, overload and cause some fires and explosions. Ninety-three million people in 15 states and Washington DC are in the dark for various amounts of time. Water is cut off for many; ports are shut down; infrastructure collapses; people die.

The report, Business Blackout, attempts to assess which lines of business would be affected by such a terrible set of events. A total of 32 lines are exposed to claims—with commercial, commercial facultative, energy, general liability, trade credit and cyber property seeing major increases in claims.

“As insurers, we need to think about these sorts of complex and interconnected risks and ensure that we provide innovative and comprehensive cyber insurance to protect businesses and governments,” said Tom Bolt, director of performance management at Lloyd’s. “This type of insurance has the potential to be a valuable tool for enhancing the management of, and resilience to, cyber risk.”

But to do so, insurers need more data to develop models and provide products. Over and over again, Lloyd’s properly points out that insurance has the “potential” to be a valuable tool. But, right now, is it? Right now, in fact, it looks like insurance covers less than 10 percent of economic losses in this scenario created by Lloyd’s and the University of Cambridge. That’s a far cry from making people whole following a catastrophe.

The key—as we have heard time and time again—is data. And the data needed to truly grab a hold of the “systemic, intangible, constantly evolving nature of cyber threats” cannot be entirely accumulated by the insurance industry alone. In fact, in all probability, the loss data from insurers on cyber events is “unlikely to be sufficiently comprehensive in isolation to accurately assess extreme events spanning the full spectrum of threat and every economic sector.”

Right now insurers have just enough data to either pull out of the cyber insurance marketplace, restrict some industry classes or cut capacity.

What then, is next? Lloyd’s said a data exchange—with public and private participation—is needed.

So in the end, while this scenario is scary and the report is impressive, the end result is the same as what we’ve been hearing. Insurers can play an enormous role in getting us on our feet following such a major catastrophic event such as an attack on a large portion of the electrical grid, but the industry isn’t going to write blindly without having the information it needs to get a handle on exposures and aggregation. And the only way it may get enough history to be able to more accurately enter these important underwriting metrics in calculations is if everyone shares data.

Sharing is terrifying. To be softer, as Lloyd’s said, sharing is “complex.” Nevertheless, we read more and more reports acknowledging that one of the top lessons we learned in kindergarten needs to put into practice now in order to understand a risk as immense as cyber.

Lloyd’s admits its hypothetical is unlikely for a variety of reasons. But it is far from the realm of possibility. As I write this, trading on the floor of the NYSE has been halted by a technical glitch and it was very careful to say the stoppage was not caused by a cyber attack…because that is the first thing we thought. Same goes for when, on the same day, we heard flights of United Airlines were grounded after its computers stopped working. And the Wall Street Journal’s website stopped working at the same time as well.

Well, maybe none of this was caused by a cyberattack, but instead a solar flare. No worries. Lloyd’s has been looking at solar flares for years.

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].