Cyber Terrorism - Lloyds
Industrial facilities from nuclear plants to dams are increasingly coming under attack from cyber terrorists bent on causing physical damage and disruption from behind their computer terminals. But with the insurance market yet to plug the gap between cyber and physical terrorism risk, the Lloyd’s market has a key role to play in finding the solution.
The ability of hackers to wreak havoc on industrial facilities first became apparent when the Stuxnet virus – a worm speculated to have been created by the US and Israeli secret services to target Iran’s nuclear facilities – successfully started disrupting uranium enrichment at the Natanz nuclear station in Iran in 2010, before spreading to other facilities.
“Stuxnet was the first virus to create physical damage – it was purely electronic in its origin but caused actual explosions and meltdown, which hadn’t been seen before,” explains Laila Khudairi, Underwriter – Enterprise Risk at Lloyd’s underwriter RJ Kiln & Co. “Now terrorists don’t need to board planes and put bombs in location, but can use the internet to get into critical infrastructure or nuclear facilities and cause explosions. This is a new type of risk.”
Rick Welsh, Head of Cyber Insurance at specialist utilities and energy industry insurer Aegis, believes cyber terrorists are not yet sophisticated or commercialised enough to take down successfully a major facility, but the use of malicious malware is rising year-on-year and Welsh is seeing an increasing number of cyber-attacks on industrial facilities.
“For the moment the risk is still in the low vulnerability but high threat quadrant, but that will be subject to change in next year or two,” he tells lloyds.com. “We’ve been told of quite a few attacks that have been successful but the scope of the damage has been kept out of the press and downplayed. No-one wants to talk about it – particularly when it concerns critical infrastructure.”
Finding the insurance solution
In the US, President Obama certainly considers the risk a subject worthy of attention, having signed in February this year an executive order entitled ‘Improving Critical Infrastructure Cyber security’. But Welsh and Khudairi both agree that despite the significant potential risk posed by cyber-attacks on critical industry, the insurance market does not yet offer a comprehensive solution.
“Cyber terrorism is addressed by the cyber market but the property damage element is not, so there is a gap in cover,” explains Khudairi. “The terrorism market excludes attacks electronic in nature, while the cyber market covers hackers breaking into systems and bringing networks down but doesn’t cover that Stuxnet-type scenario.”
Welsh says that brokers have little choice but to place their clients’ business through established silos of insurance, while plugging any gaps with supplementary cyber add-ons. “Our [utility and energy] clients don’t think like that,” he says. “For them, cyber risk is a central organisational risk, so they are asking why the insurance market can’t look at this more holistically. There are very few insurers able to do that.”
Looking to Lloyd’s
According to Welsh, the Lloyd’s market is expected to play a significant role in solving the problem. “Even in the US they are looking to London – and particularly Lloyd’s as a specialist market – for guidance as that’s what we’re known to be good at,” he says, adding that Aegis is currently working with clients to develop the kind of ‘holistic’ products they require.
Meanwhile, Khudairi says RJ Kiln is also developing coverage for property damage as well as business interruption caused by cyber terrorism. However, she adds, capacity for these risks is still very limited, even in the Lloyd’s market. “Lloyds has to monitor its aggregate exposures, but will do whatever it can in order to meet demand.”
Welsh says there is likely to be uncertainty over pricing physical cyber coverages, which will have to be probability-priced rather than actuarial due to the fact that these risks are so new. “Pricing has got to find its natural home, somewhere between property and cyber rates. For those that want more coverage, in this environment of unknowns they are going to have to pay more,” he says.
Khudairi and Welsh both say the level of awareness of cyber risks among critical industry operators is rising, but that the quality of risk mitigation varies significantly across the sector. “Some clients absolutely adopt cyber security risk management guidelines yet there are others who don’t really believe they have exposure, so rather than adopting cyber security best practice they buy as much insurance as they can and try to mitigate their exposure that way,” says Welsh.
He believes one step lawmakers could take is to standardise cyber security on an industry basis. “The problem with operational security is that people aren’t sure what those standards should look like,” he admits. “This is all still new.”