Lloyd’s of London, in cooperation with the University of Cambridge Centre for Risk Studies, has just issued a report that looks at the financial and resulting insurance consequences of a cyber attack on the United States power grid. Based on a plausible scenario that takes a page from the Stuxnet attack, which seriously damaged Iran’s nuclear program, the Lloyd’s report suggests a cyber attack that damages 50 generators, affecting up to 93 million people with a cost to the national economy of $273 billion. (The worst case, upper end estimate is $1 trillion).
Particularly useful in this exercise is the insight it offers into the challenges facing the insurance industry. The report notes “The greatest concern for insurers, however, is that the risk itself is not constrained by the conventional boundaries of geography, jurisdiction or physical laws. The scalability of cyber attacks — the potential for systemic events that could simultaneously impact large numbers of companies — is a major concern for participants in the cyber insurance market who are amassing large numbers of accounts in their cyber insurance portfolio.” This is a warning that there is an impending problem if insurers and insured are not clear about coverages and limitations.
The report refers to “silent” cyber exposure where claims may be made in coverage areas not immediately seen as cyber related, saying “Insurers may not realise the extent of their exposure to this emerging threat class, and may not have charged premium to cover this aspect of the risk. Insurers may be holding more cyber exposure in unexpected lines of business in their portfolio than they realise.”
In support of this premise Lloyd’s indicates there would be at least six categories of claimants under the attack on the power grid scenario — obviously power companies, who would suffer property losses, business interruption losses and incident response costs among others — as well as suppliers or vendors who might have some culpability for the equipment failure. Then there’s the victim class.
Companies that lost power represent another claimant category, as do companies outside the affected area who do business with those companies that lost power. Homeowners and their property insurance would come into play, as would specialty insurance for things like event cancellation. There would be multiple classes of liability claims, including, notably, Directors and Officers liability coverage. The reports says “There is a limited but growing body of case law to support the contention that companies owe a duty of care to their shareholders to maintain risk management procedures to deal with crises. Companies that are adversely affected by the blackout, particularly those that in some way perform worse than their competitors, lose market position and see stock price valuations marked down by analysts, are increasingly likely to see legal actions against the officers of the company by their shareholders.” Interestingly, the Lloyd’s economic model forecasts that shareholders would recover around 75 percent of their claims.
We know that demand for cyber insurance is growing rapidly. Yet, there is understandable reticence among some insurance companies to offer products to meet that demand. While the scenario postulated by Lloyd’s supports the reticence, the report does offer some reassurance, saying “cyber attacks and IT events are not unlimited or infinitely scalable. They can have significant constraints that limit attack severity and curtail the amount of loss that insurers may face. A successful cyber attack has to overcome all the security systems put into place to protect against it, requires expertise and resources by the perpetrators who face their own risks of identification, prosecution and retribution, and the loss consequences of attacks are mitigated by risk management actions.” The last point is particularly worthwhile.
To their credit, Lloyd’s recognizes that the insurance industry is uniquely positioned to help companies better prepare for cyber risk. In discussing cyber risk the report notes that “insurance has the potential to greatly enhance cyber risk management and resilience for a wide range of organisations and individuals who are exposed to its impacts.” The key here is to share information on a voluntary basis so that insurers can better calibrate risks and help drive enhanced risk management processes. The Lloyd’s report makes a valuable contribution to understanding cyber risks and challenges facing companies and insurers, and is well worth reading.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
July 14, 2015