Editor's note: These insights first published as a Lockton Companies white paper.

In the movie Arrival, government scientists comeface-to-face with extraterrestrial visitors, not knowing if they'refriendly or why they've landed on earth. A linguist is brought into decipher the aliens' language, yet despite her best efforts, shecan only translate a few syllables. Armed with this incompleteinformation, some of the world's most powerful governments reactirrationally and mobilize for a military attack.

Related: Uncovering silent cyber risk

We've met the enemy

There are parallels in cyber risk. We're learning more all thetime as defenses and protections improve, but much is stillunknown. The playing field favors the attackers, while emerging vulnerabilities bring new revelationsat a seemingly inexorable pace.

Absent thoughtful mitigation strategies, the odds of makingill-informed decisions will only increase.

What we know about cyber risk is only a fraction ofthe vast unknown. While general awareness continues to growwith each incident, progress made on the mitigation front isusually eclipsed by the latest attack or breach.

The threat is evolving because the spectrum of motivation iswidening, and weapons once considered esoteric are more widelyaccessible than ever.

The actors no longer have only criminal intent (e.g., stealingdata for personal enrichment), but these 'agents of chaos' areincreasingly sabotaging companies and governments for political andterroristic gain, leaving significant first party damage in theirwake.

Layers of vulnerability

A cyber attack on Saudi Aramco threatened to cut off a largepercentage of the world's oil supply when an employee clicked on alink that released a virus into the company's computer systems. Asa result, 35,000 computers were frozen, Internet service went down,and phones went dead. Typewriters and fax machines were pressedinto service, and the company had to turn away transport trucksbecause it lost the ability to make electronic payments.

Hackers seized control of a blast furnace in a German steelmill, causing "massive" property damage, according to reports. Atthe time the incident came to light, Wired magazine warned thatattacks on industrial control systems "in the electric grid, inwater treatment plants and chemical facilities, and even inhospitals and financial networks … could cause even more harm thanat a steel plant."

In October 2016, Amazon, Comcast, The New York Times,Starbucks, and scores of other large companies were impacted by anattack on DNS provider Dyn. Hackers used a network of infecteddevices called a botnet to flood and overwhelm Dyn's servers, whichrendered many popular websites inaccessible.

Clearly, the cyber threat is growing as weapons and motivationsevolve.

There's strong evidence that for the first time in history anation-state is employing ransomware. (Photo:Shutterstock)

Geopolitical concerns

Britain's security services recently joined a host of otheragencies in concluding that the WannaCry outbreak was the work of the NorthKorean government. In May 2017, WannaCry seized control ofcomputers running an older version of Microsoft Windows — inparticular, operating systems that didn't have a patch previouslyissued by Microsoft, including unlicensed systems that weren'teligible for the patch. The attack infected hundreds of thousandsof computers in more than 150 countries, demanding payment torelease them. Organizations affected included Britain's NationalHealth Service (NHS), Spain's Telefónica, FedEx, and Germany'srailway system.

Distributed denial of service attacks (DDos)are also growing in size and sophistication, and even Internet ofThings (IoT) devices within a botnet now contribute to exponentialamounts of bandwidth to overload servers with data. Unlike attackson retailers to steal credit card information, DDoS attacks cancripple an entire enterprise. Instead of draining bank accounts orfraudulently purchasing goods, the intent is to render an entireecosystem ineffective — or even worse, powerless.

Related: WannaCry and the dawn of large-scale businessinterruption

The Internet of Things

Another emerging threat that's outpacing available defenses isattacks on physical devices and assets. The Internet of Things has improved efficiency inour daily lives; we can control the environment in our homefrom our smartphones, and wearable devices give us actionablehealth data. In the commercial world, the IoT is delivering remotecontrol and diagnostic capabilities to big machines—everything fromjet engines to industrial controls. Companies that want to improvemargins and efficiencies are connecting operational technology(think turbines in a utility) to corporate IT networks and runningthem remotely instead of with humans. Yet, the IoT is adouble-edged sword because the number of significant physicalassets at risk for disruption is growing rapidly. With a projectedeconomic impact of $11 trillion by 2025, the attraction ofthe IoT is irresistible for hackers.

Related: How IoT offers insureds more value

There's greater transparency on personal data theft becauseretailers and other industries that handle it are required todisclose a breach to its owners. With respect to attacks oncompanies motivated by sabotage, for example, it's difficult toknow the scale of the threat because companies haven't beenrequired by law to disclose. Yet more will come to light with theincrease in regulatory oversight. For example, the state of NewYork now requires financial services firms to notify the stateDepartment of Financial Services of cybersecurity events,scrutinize the security of third-party vendors, perform riskassessments, and design a cyber mitigation program.

Cyber risk is now one of the most important issues in theboardroom. (Photo: Shutterstock)

Insurance market response

Despite the growing attention that cyber risk now commands,first-party consequences are one aspect that has been marginalizedor even overlooked.

Cyber risk is no longer confined to liability from handlingpersonal data, but has implications related to property andphysical assets that warrant serious consideration.

Related: 6 steps to take to evaluate cyberrisk

The evolving nature of the threat is posing a challenge tolegacy property policies that were never intended to cover cyberrisks and are often silent on whether those risks are covered ornot.

Historically, stand-alone cyber insurance products haveresided with the financial lines carriers, but when it comes tofirst-party cyber risk, the insurance market is fragmented. Thelines have become blurred as to where coverage starts and stopsbetween insurers. It's difficult for buyers to navigate thisrelatively new world and know where to find the right product.Although a number of market participants are strongly advocatingfor cyber insurance to be accessed only through all risks policies,this development is unlikely to occur anytime soon,if ever.

Related: What to expect: the cyber liability insuranceapplication process

Catastrophic proporations

From small businesses to Fortune 500s, every enterprise thatuses a computer network has assets that can be compromised by acyber incident. Some of the first-party consequences of theincidents described above are:

Property damage: Equipment sustains physicaldamage in an attack. Researchers predict there will be upward of 20billion connected devices by 2020, and experts agree that criticalinfrastructure, water, energy, nuclear reactors, and thecommunication sectors will all be at risk. Property insuranceshould cover the cost of replacement and installation of equipmentas most cyber insurance products exclude property damage.

Network interruption: The insured is unable tooperate after suffering a denial of service or phishing attack. This should be treated as abusiness interruption loss and the insured compensated for loss ofincome and the increased cost of working around the clock until thenetwork is restored. The majority of cyber insurance products willaddress this risk, but many property carriers will exclude it basedon their consideration of data as an excluded intangible asset anda cyber attack as an excluded peril.

Data corruption: Digital content is damaged,destroyed, or stolen in an attack. A cyber criminal can infiltratea system through a phishing attack and delete manufacturing code,for example. Besides the Business Interruption consequences,property insurance should cover data restoration costs as a cyberinsurance product would.

Theft of intellectual property: The calculationof economic loss is elusive when it comes to theft of intellectualproperty. This remains an uninsurable risk, as seen when Chinesehackers allegedly stole radar designs and engine schematics for theLockheed Martin F-35 fighter jet. What remains elusive is how aninsurer can model just how much economic damage can be inflicted ona defense contractor by the theft of proprietaryconfidential blueprints.

Cyber extortion: In this scenario, users areunable to access encrypted data until a ransom payment ismade. While the majority of cyber insurers will cover this, itcould be argued that this peril would fall under protection andpreservation of property where physical property is involvedbecause paying a ransom would restore the IT system and prevent theinsured's physical property from being damaged.

Ensuing damage: Coverage for ensuing damage isalso an important consideration. An example of this is seen in foodprocessing, where most policies exclude a change of temperature infreezers. However, if hackers gain access to the controls and raisethe temperature in a dairy's freezers, an entire inventory of icecream products can be ruined. Some property carriers would considerthis physical damage and are increasingly willing to cover it.Conversely, it's important to note the majority of cyber insurerswould not cover this, as ensuing damage is damage to property otherthan data.

In all of these examples, the adversary has an advantage overthe defender.

An attacker only has to be right once, but the defender haspotentially multiple physical and intangible assets to protect aswell as an ever-increasing attack surface and interdependencieswith third parties.

Related: Cyber risk and reputational harm

The Internet of Things has introduced more connected devicesthat can be exposed to a cyber attack; thus, as physical assets,they should be considered by property underwriters.

Many companies have a difficult time defining and assessingtheir cyber risks. (Photo: Shutterstock)

Selling cyber policies: It's all in the wording.

The purchase of insurance to cover first-party cyber risks,particularly to address physical assets, is only now beingconsidered, and it is leading to considerable ambiguity:

Actuarial data is limited and has minimalrelevance in the context of continually evolving threats andattack vectors.

Large, undefined coverage gaps exist in many property carrierforms.

Companies have a difficult time defining and assessing the risksthey face.

As cybersecurity is now a business risk and no longer simply atechnology consideration, brokers must position themselves astrusted advisors. They can play a vital role by helping clientsidentify and quantify risk to critical corporate assets andultimately decide whether to transfer that risk through insuranceor not. Products are coming on line which address the gaps inlegacy property and casualty policies, known as difference inconditions and difference in limits policies.

Often, business interruption and denial of service are covered,but as far as ensuing perils are concerned, there's no uniformityamong carriers. Understandably, many property underwriters haveonly limited experience with cyber and, therefore, find itdifficult to classify data as "property." This represents anopportunity for risk managers and brokers to work toward a deeperunderstanding of the data that exists in enterprises and how thatdata impacts the risk.

The technology solution

Much has been written about the challenges of underwriting cyber risk for insurers, inparticular catastrophe modeling for cascading losses from singleevents as well as insufficient actuarial data. A common theme isthe lack of understanding of how an investment in specific controlsmoves the risk needle in a constantly changing threat environment.However, for the first time in this relatively brief period sincecyber's onset, we can feel more confident about our ability to getahead of the problem. Technology is playing an increasinglyimportant role in our advancement, and the insurance industry has apowerful ally in Silicon Valley.

Just as linguist Louise Banks ventured into the belly of thebeast to better understand the extraterrestrial visitors inArrival, a rapidly growing league of intrepid investigators isexploring new frontiers. Deeper data analytics that promise toaccelerate our understanding of cyber risk are emerging, as SiliconValley firms join insurers and brokers to develop tools to evaluatean enterprise's security position from the inside and the outside.Traditional underwriting processes offer only asnapshot in time in a dynamic and fast-moving risk environment.

Technologies that help insurers evaluate risk in real timeare supporting many more underwriting decisions today and, overtime, will evolve to influence how these risks are priced. (Photo:iStock)

In a nation where 80 percent of the critical infrastructure isowned by the private sector and beyond the purview of effectivegovernment regulation, technology innovation driving rigorousenterprise risk management will become the best way to improvemitigation and protect valuable assets such as data, intellectualproperty, and machinery.

'The new asbestos'

Cyber risk is certainly insurable, but in manyrespects, it's the new asbestos. Its reach appears to be infinite.It's also an existential threat to business, where one event cancause multiple losses in unanticipated ways. This is due, in part,to the fact that the cyber threat has been shown to have a growingimpact on physical property. In this instance, it would beadvisable to adopt a historical context and acknowledge theparallels to the evolution of property insurance. Just as theintroduction of fire protection systems transformed underwriting ofphysical property, so should risk managers, brokers and insurersreevaluate physical assets in the context of cyber.

Addressing cyber risks as a property issue is a relatively newconcept, which is why there is ambiguity in the insurancemarketplace. Aggressive action needs to be taken because the risksare propagating at an alarming rate. The insurance industry mustinnovate so it remains an indispensable business partner to clientswho have a lot riding on protecting their financial performance,reputation, and sustainability.

Jared Wosleger is an assistant vice president and aproperty/cyber broker at Lockton Companies, Inc. He can be reachedby sending email to [email protected].

See also:

Managing today's claims while planning fortomorrow's technology

The 3 stages of the P&C insurance softwaresystem selection process