Cyber risk – issues involving physical damage
The idea that cyber risks are new is wearing thin, leaving behind the harsh reality that exposures to cyber risk are serious, are here to stay and seem only to be getting worse. Both the severity and frequency of cyber events are increasing, be it a hacking attack, extortion or human error.
Whilst many of the biggest and most costly cyber events have involved data breaches, DDOS attacks and theft of industrial secrets, we have now entered an era where thought must be given to the risk of cyber events causing real damage to physical things or even bodily harm to people. Critical infrastructure and utilities are ever more reliant on complex computer systems.
Although the frequency of such events is considerably lower than the frequency of data leaks caused by malicious attacks, any event that is able to cause physical damage could have far reaching consequences.
It is not surprising, then, that in recent months there has been more emphasis on monitoring such risks, particularly in the insurance industry, which will inevitably end up facing claims from an ‘physical cyber event’.
Extent of losses
The types of loss that might arise from a physical cyber event are varied. Losses to physical property may not be restricted to the thing that is hacked but could quite easily be more widespread, for example, damaging other items of property, which may or may not belong to the insured itself, thereby giving rise to additional third party liabilities. A basic example of how this might arise is a cooling system for a server room being hacked, causing the computer equipment to overheat
and malfunction. The extreme heat then causes a small fire to break out, which spreads and damages the building and potentially adjacent properties or different floors within a larger block. This may seem exceptional but there are occasions of physical damage having been caused by hacking attacks, both intentionally and unintentionally. Moreover, with the constant developments in technology that are being achieved, more exposures and areas of risk can arise. One such example is the development of self-driving cars.
Sector focus and examples
Some sectors are more at risk than others. The energy sector has long been identified as a high-level target for both hack attacks and for other system exposures, including those which are not the result of malicious attacks. Similarly, the aviation, shipping, manufacturing and automotive industries are at particular risk, as well as any large scale national infrastructure such as utilities. These areas all have in common a great reliance on computer systems to manage and control physical processes and operations. Whilst a cyber event involving physical damage may be considered low frequency at this point, for these areas in particular any loss is likely to be high value and quite possibly a significant market event for the affected insurers.
It is important that all insurers are fully aware of the full scope of cover offered by their products. It is advisable to undertake reviews of non-cyber specialist insurance policies to ensure that they mitigate the risk of unintentionally covering a cyber event. Whilst this may be achieved by narrowing definitions or including market-standard exclusions in wordings, insurers might also consider more broader exclusions for all cyber-related risks, however arising.
Underwriters might also consider including sub-limits where an element of cyber risk is intended to be assumed, to limit their exposure. It may also be appropriate to engage cyber specialists to aid in risk reviews.
In any event, the exposure of insurers and their insureds to cyber-related losses is prominent and is increasing. As the nature of cyber risk changes, so must insurers to ensure that they do not assume unwanted and unmeasured risks.
Authors: Simon Cooper, Sam Batchelor