As cyber exposures continue to evolve, property underwriters (along with those in other traditional lines of insurance) are increasingly unwilling to include coverage for physical damage caused by a cyber attack. Growing regulatory intolerance of so-called ‘silent cyber,’ led by action taken by the U.K.’s Prudential Regulation Authority and Lloyd’s of London, means all Lloyd’s insurers must soon either explicitly include or exclude both malicious and non-malicious cyber cover. With the market hardening, the majority of product lines are opting for the latter, leaving many insureds who had previously relied on cyber cover being included in their all-risks policies, with a significant gap in coverage.
Other regulators are expected to follow suit with rating agency Fitch already announcing it would begin incorporating the management of non-affirmative cyber risk within its ratings. Subsequently, the extent of this coverage gap is expected to widen within the coming years.
The growth of IoT means more opportunities for hackers
The increased speed and capacity of 5G will play an important role in the growth of IoT (Internet of Things) technologies, many of which are being developed for use in smart buildings and operational environments. Unfortunately, in the race to rapidly develop smart devices, security and public safety can often be an afterthought. According to a report by McKinsey, the worldwide number of IoT-connected devices is projected to increase to 43 billion by 2023 — almost triple the number in 2018. As systems move away from secure, centralized hardware-based networks, the potential touchpoints for cybercriminals increases exponentially whilst the scope of what needs to be protected and monitored by security functions are also extended.
Other technological advancements also bring new opportunities for cybercriminals. Smart building management systems, for example, can control myriad functions from sprinkler systems, lifts, CCTV, heating and air-conditioning, to storm protection, early warning and security systems — all on a single centrally-managed system, which many hackers are well equipped to hijack. Simply activating a sprinkler system could have a dramatic impact on a business, which whilst potentially lacking the glamor of a Hollywood blockbuster-imagined cyberattack, could potentially be highly damaging nonetheless.
Operational technology environments at risk
Likewise, manufacturing plants, utilities and many other industry sectors are becoming increasingly automated. Their operational technology (OT) environments, essentially the technology used to keep things (factories, power plants, facility equipment etc) running, were often designed before cybersecurity was even a consideration. Given the efficacy benefits that come in converging the information technology (IT) and OT environments, OT interconnectivity has become commonplace over the last decade or so. These now connected systems, frequently lacking the most basic cybersecurity functionality, can easily become sitting ducks for cybercriminals.
This isn’t science fiction, it’s happening now. In one recent attack, hackers gained access to the control system of a German steel mill, causing components in the plant to fail, resulting in damage to a blast furnace. Software deployed in a Turkish pipeline system shut down alarms and raised pipeline pressure, which eventually caused an explosion. And a few years ago, malware reportedly shut down the safety instrumentation systems at a petrochemical plant in Saudi Arabia. The increased connectivity of operational technology, the use of IoT to control critical systems, and growing examples of malware targeting the OT environment mean future and more damaging examples of similar attacks seem inevitable.
Furthermore, it is not just traditional property that is at risk. This increased reliance on technology flows through to all aspects of today’s society — everything from cargo, vessels, cranes, excavators and electric vehicle charging stations. Any equipment with connected technology can open businesses up to potentially significant physical damage which may no longer be covered under their existing all-risk policies.
Businesses must better prepare for physical cyberattacks
While data breaches and ransomware attacks have become commonly understood across all industries today, general awareness about the physical damage cyberattacks can cause remains concerningly low. This is, in part, to do with regulatory requirements. In many countries, companies are legally required to report data breaches, which tends to produce a flurry of headlines when large corporations disclose they have fallen victim to an attack. Media articles increase general awareness about risk, as demonstrated in 2017 when broad media reporting of the NotPetya and WannaCry attacks made malware and ransomware household names. In contrast, few countries or regulators require businesses to report property damage resulting from a cyber attack. Such incidents therefore rarely make the headlines, leaving business managers and the general population ignorant of the lessons such examples might teach.
Even for insurers, gaining a sense of the totality of cyber-related property damage is challenging. For example, historically, when a cyber incident caused a physical loss under a traditional all-risks property policy, the loss may well not have been identified as a cyber-related incident or recorded as such. Subsequently, this leaves insurers without historical data around these sorts of claims. This lack of extensive historical loss data is not, however, unlike the early days of the non-physical damage cyber market, although given the increased connectivity of IoT going forward, underwriters must be careful to not place too much reliance on historical events as a guide to the future in this space.
What is more important is modeling the exposure going forward, based on the environment today and ensuring that underwriters are tuned into the subtle changes in interconnectivity within the physical domain that occur as we move forward into the future.
With technological advancement comes increased convenience and efficiency, but it also brings complexity and risk. Much knowledge has been gained since the early days of cyber insurance and pooling that knowledge in a consultative, partnership approach, between insurer, broker and external cyber experts, will help close the coverage gap for our clients, enabling them to fully grasp the opportunities available to them to ensure continued coverage for this evolving exposure.
Camilla Walker is a cyber underwriter at Canopius. She joined the global specialty lines (re)insurer following the merger with AmTrust at Lloyds in 2019. Based in London, Camilla’s responsibilities include developing bespoke solutions for clients spanning all facets of the cyber and technology landscape, ranging from SMEs to large multinational corporations. Prior to joining Canopius, Camilla served as a cyber and intellectual property underwriter at Liberty Specialty Markets.