Imagine this: Sophisticated hackers plant malware to shut down parts of the U.S. power grid in the northeastern United States, plunging 93 million people into darkness. Seem farfetched? This scenario, while unlikely, is technologically possible.
Understanding the impact of severe events is one of the key requirements for insurers to develop Cyber risk coverage. As such, what are the impacts as outlined by the above hypothetical model? According to Business Blackout, a joint report by Lloyd’s and the University of Cambridge’s Centre for Risk Studies, the scenario could cost the U.S. economy more than $1 trillion.
The report, which examines a hypothetical castastrophe of a 50-generator blackout that affects 15 northeastern U.S. states, and includes New York City and Washington, D.C., also predicts a rise in mortality rates as health and safety systems fail, a decline in trade as ports shut down, disruption to water supplies as electric pumps fail and chaos to transport networks and infrastructure collapses.
Economic impacts include direct damage to assets and infrastructure, decline in sales revenue to electricy supply companies, loss of sales revenue to business and disruption to the supply chain. The total impact to the U.S. economy is estimated at $243 billion, but costs would rise to more than $1 trillion in extreme situations, the report says.
The report also estimates that the insurance industry would pay $21.4 billion in claims, but payouts could rise to as much as $71.1 billion in extreme situations, due to the wide range of claims that could be triggered by an attack on the U.S. power grid.
Claimants would include power generation companies, defendant companies, companies that lose power, companies indirectly affected (such as those outside the power outage, but impacted by supply chain disruption), homeowners and specialty (such as events). Claims would arise under 30 lines of business, especially through commercial property, general liability, downstream and energy liability, film and event contingency, trade credit and business interruption.
In Table 5, above, S1 and S2 represent two typical scenarios arising from the blackout, while X1 represents an extreme variant.
Devoping insurance solutions
Business Blackout names three attributes of Cyber risk that are of significance when developing insurance solutions: systemic exposure, the fact that cyber attacks are an intangible peril, and the nature of the threat.
“Governments also have a role to play. We need them to help share data, so we are able to accurately assess risk and protect businesses,” says Tom Bolt, director of performance management at Lloyd’s. “As insurers, we need to think about these sorts of complex and interconnected risks and ensure that we provide innovative and comprehensive cyber insurance to protect businesses and governments. This type of insurance has the potential to be a valuable tool for enhancing the management of, and resilience to, cyber risk.”
Digital networks and shared technologies form connections that can be exploited by hackers to generate widepread impacts, and insurers could be required to meet claims across many different classes of cover, the report says. With systemic exposure, carriers must apply dedicated and thorough exposure management for cyber risk across the entire portfolio.
Victims often only become aware that they are under cyber attack months after a breach. Malware, particularly, can lie dormant and undetected. For insurers, the nature of cyber attacks presents challenges for assessing risk exposure.
Thirdly, cyber attacks are often treated as problems that arose due to technology–but carriers must recognize the human component. “The evidence of major attacks during 2014 suggests that attackers were often able to exploit vulnerabilities faster than defenders can remedy them,” the report says.