The modern world is becoming increasingly reliant on, controlled by and interconnected through computers, networks and the internet, made all the more vulnerable by cloud and mobile technologies. The so-called “Internet of Things Applications” impact all sectors of our economies, for example:
• Manufacturing: tracking machinery and monitoring performance (wireless inventory tracking, control of industrial processes), tracking the flow of raw materials and supply chains;
• Retail: tracking shipments and logistics, optimisation of supply chain through shelf sensors;
• Infrastructure and power generation: smart electrical grids, smart cities and traffic systems;
• Health: Monitoring and transferring data for chronic medical conditions and exercise; and
• Consumer products and vehicles: security devices, mobile devices and advanced driver assistance systems (ADAS).
Cyber risk thus represents a major and systemic risk to businesses and critical infrastructure, impacting financial services; communications; energy and water supply; food; health and safety; transport and emergency services.
Cyber risks
A cyber event can be instigated either by external parties (remote, unauthorised access) or by insider misuse:
• Web application attacks;
• Attacks using crime ware (malware);
• Phishing attacks (faked legitimate sites to steal personal and password data); and
• Logic bombs – small errors leading to major corruption over time (months to years) and almost impossible to identify.
These result in theft, disruption and/ or damage to data and intellectual property, as well as to physical property:
• Data breach/ espionage/ misuse of data;
• Loss or corruption of data and back-ups;
• Denial of service/ system breakdown/ loss of access to internet;
• Physical damage/ infrastructure failure;
• Loss of production/ loss of revenue/ quality issues;
• Reputational damage; and
• Extortion.
Financially, cyber attacks result in multiple costs, including customer/ third-party liabilities and lost revenues (direct and from subsequent reputational damage), notification costs, fines and penalties, legal fees, repair/ reinstatement costs for data and physical property and increased costs of working, for example, due to crisis management and public relations.
Risk frequency and severity
Worldwide, cyber attacks have increased dramatically over the last few years, with the greatest concentrations in the US, UK, Australia and Japan. Verizon’s much-quoted 2014 Data Breach Investigations Report analysed security breach data from 50 global organisations spanning 95 countries, which showed an hundred-fold increase in data breaches over the past decade.
It is often difficult to calculate the full financial severity of a cyber attack, but minimum costs arising out of major data breaches are generally in the hundred millions. Examples include TJX in 2006 (theft of 24 million records, estimated cost US$172 million) and Heartland Payment Systems in 2008 (theft of 130 million records, estimated cost $145 million). A 2014 data breach study by Ponemon Institute reported a US average (combined direct and indirect) cost of a data breach per record of $201 and an average organisational cost per breach for the US of $5.85 million. In terms of insured costs, the average loss in 2013 was estimated to be just shy of $1 million, according to a NetDiligence 2013 report.
The UK government has estimated that cyber attacks cost the UK economy approximately GBP400 million (US$614 million) a year.
Physical property examples from the energy sector
The energy sector has suffered a disproportionately large number of severe cyber attacks. For example, in the US, 41% of all cyber attacks in 2012 that were directed at critical infrastructure targeted the energy sector, according to ICS-CERT Monitor. Of the examples listed below, Natanz was the first to bring the world’s attention to the vulnerability of physical (rather than non-physical) property to cyber attacks.
The examples include:
• Natanz uranium enrichment plant, 2010 Stuxnet;
• Chevron, 2010 virus;
• Saudi Aramco, 2012 Shamoon virus;
• RasGas, 2012 hacker attack; and
• Various power plants, 2014 by “Dragonfly” hacker group.
In terms of damage to physical property and the consequent business interruption, the virus in Saudi Aramco, for example, resulted in the destruction of more than 30,000 PCs and 2,000 servers, with IT systems disconnected from the internet for two weeks. In 2010, the Stuxnet virus gained access to the (ring-fenced) operational technology of the plant; it recognised, targeted and manipulated part of the industrial control system responsible for spinning the plant centrifuges. The manipulation of operational technology represents a substantial property risk.
Potential insurance losses
The resulting loss/ damage categories from a (re)insurance perspective are:
• Third-party liability – all forms impacted, from general liability (GL) to professional indemnity and D&O covers (failure to properly evaluate, manage and protect against cyber crimes);
• Property damage (loss of data and physical damage to machinery, servers, hardware, software and data, including back-ups);
• Business interruption losses following property damage; and
• Non-physical damage business interruption.
The cyber insurance market is steadily growing and to date, there are over 60 insurers globally offering cyber insurance solutions on a stand-alone basis or by endorsement. Pricing and wordings vary significantly across global markets. Gross written premiums in 2014 were approximately $2 billion; this is expected to reach $5-10 billion as the worldwide demand for and availability of such products increase over the coming years.
Despite the vulnerability and significant loss potential, cyber insurance cover remains almost totally absent for physical damage and limited for business interruption (non-physical damage and property damage). For these, there remains a lack of clarity amongst insureds over the exact exposure potential, irritation at limited availability of protection, and confusion linked to non-standardised covers.
The result of all these factors is that insureds are increasingly asking for cyber protection to be added to their existing liability and property covers, either through endorsement, or (of particular concern) by removing the cyber exclusion.
Cyber insurance: Not just an add-on
Cyber risk has generally been excluded from both standard GL and property (re)insurance covers. However, in today’s softer market and with demand for financial (re)insurance protection for cyber risk on the increase with pressure from insureds, there is an increasing tendency for cyber exclusions – such as CL 380 or NMA2915 – to be removed from GL and property wordings. This is a problematic approach, given the systemic and complex nature of this risk, high exposure and lack of data upon which to build a strong underwriting platform.
A sustainable (re)insurance market that offers insureds proper protection now and in a fast-evolving future is one that delivers smart insurance and reinsurance solutions. These solutions will need to be properly underwritten, either as stand-alone covers or endorsements, be based upon and encourage effective risk assessment and mitigation measures, and be supported by strong risk management and accumulation control.
Success will be heavily determined by the terms and conditions of the cover, adequate risk premium and occurrence limits, supported by sub-limits and deductibles. This, in turn, requires greater understanding of the interconnectedness of risks, and critically, industry initiatives to access greater volumes of cyber loss data.
PartnerRe has developed specialty expertise in cyber risk protection for clients in worldwide markets and is active in cyber risk conferences and discussions – our aim is to share insight, be proactive in developing a stable market and to create innovative risk solutions that meet the needs of our clients. If you would like to discuss this topic and find out how PartnerRe can help your business, please go to www.partnerre.com for contact and company information.
Mr Markus Bassler is Head of Energy & Special Risks with PartnerRe.
This article is an extract of a paper of the same title which is available on the PartnerRe website.