2021 silent cyber scenarios: The cyber-physical insurance dilemma
At a glance
- Cyber-attacks on physical assets are on the rise.
- These attacks often leave organisations uninsured or underinsured due to “silent cyber”.
- There are innovative new options available, including standalone “physical world cyber-loss” coverage.
As digital transformation continues to reshape the business landscape, cyber-risks for businesses in every industry have been intensified. The gap between physical and cyber infrastructures is shrinking. Technology is not just shaping the virtual world but also the physical world with almost every asset now remotely connected, controlled and/or managed by operational technology.
Cyber-criminals have now moved beyond data breaches alone to more sophisticated cyber-attacks designed to breach operational technology and disrupt the operations of physical assets. According to a Verizon report, more than one in 10 data breaches had a physical component.
This transition has created “silent cyber” scenarios, causing significant insurance implications for many organisations, as they are often either uninsured or do not have enough insurance.
What is an example of a cyber-physical attack?
In one high profile loss event, malware infected the Industrial Control System (ICS) of an energy company, which reprogrammed the Programmable Logic Controllers (PLC) operating the plant centrifuges. This caused the plant centrifuge to operate at an extreme level and ultimately destroyed the centrifuges, which resulted in significant material damage and business interruption for the company.
What is silent cyber and which insurance policies are impacted?
Recent major losses have shown that when the control of these physical assets is breached by a cyber-attack, it can lead to significant material damage, business interruption and casualty losses that are typically not covered under property, liability nor cyber insurance policies. This is an example of a silent cyber scenario, also known as “physical world cyber-losses.”
Physical world cyber-losses have neither been underwritten nor priced for in traditional property insurance policies, liability policies or cyber-insurance policies. As a result, many policy wordings from insurers haven’t implicitly included or excluded these types of cyber related losses. This phenomenon of non-affirmative coverage is known as “silent cyber.”
If you are interested to learn more about how to manage silent cyber risks, register for our upcoming webinar.
What is the regulatory landscape for silent cyber?
This issue has become a major concern for policyholders and insurers. In January 2019, the UK Prudential Regulation Authority (PRA) issued a letter to all UK insurers that stated they must have “action plans to reduce the unintended exposure that can be caused by non-affirmative cyber-cover.”
Also in 2019, Lloyd’s issued a market bulletin mandating that all policies must be clear on whether coverage is provided for losses caused by a cyber event, thereby eliminating silent cyber exposure. This could be achieved by either excluding cover or affirmatively covering the exposure in all property and casualty insurance policies. The deadline for the initial phase of the mandate, which covers first party property insurance, was January 1, 2020.
What are insurers doing about this?
The mandate and short timeline from Lloyd’s has led most insurers to apply exclusions, rather than to affirm cover, citing concerns over the potential for aggregation from a systemic loss. To date, many of the proposed cyber endorsements on traditional property and casualty policies have been inconsistent and in some cases overly broad such that they exclude ensuing loss from previously covered physical perils simply because technology was involved somewhere in the chain of causation.
Based on proposed wordings, many insurers still overlook or misunderstand the fact that technology is integral to business operations across all sectors.
What does this mean for organisations?
Many companies are now finding themselves under-insured or without any cover for material damage/business interruption and liability losses where technology is in the chain of causation. To understand if your company is insured for these physical world cyber losses, a thorough review of your policy wording(s) is recommended in consultation with your insurance broker and an independent legal advisor.
What are your options to address silent cyber exposures?
Given that many companies may now be either uninsured or underinsured for physical world cyber-losses, risk managers, insurance managers, CISOs and CFOs need to consider how they identify, quantify, finance and treat these risks. Organisations should consider the following questions:
- What are our physical world “silent cyber” risks (if any)?
- What are the potential losses arising from these risks?
- How might our insurance program respond to physical world cyber losses? What is currently insured? Are we uninsured or partially insured? If partially insured, how much are we underinsured by?
- What insurance options are available to us in addressing any gaps in cover and what is the best risk financing decision (what to retain vs transfer)?
- How can we reduce the likelihood and severity of physical world cyber losses?
Risk management steps
To help businesses answer these questions, organisations should incorporate the following four-steps into their risk management process when considering physical world cyber losses:
Step 1: Identify physical world cyber risks
- Where is the Information and Communications Technology that bridges your business’s Information Technology (IT), Operational Technology (OT), and physical assets?
- If this technology was compromised, could material damage, business interruption and/or liability losses occur?
- What scenarios may result in damage, in particular, those with a higher risk of significant damage?
Step 2: Quantify potential losses
- What are the material damage losses that might arise out of the silent cyber scenarios?
- What the business interruption losses that might arise out of these scenarios?
- What are the liability losses that might arise out of these scenarios?
Step 3: Improve risk mitigation
- What is the business’ cyber security posture to prevent these risks and reduce losses?
- What can be done to enhance security and reduce the likelihood of these risks?
- What can be done to minimise losses if the IT/OT environment was compromised?
Step 4: Optimise the risk treatment strategy
- Where can businesses prioritise capital investment to better manage physical world cyber risks i.e. prevention vs loss minimisation vs insurance vs combinations?
- What is the expected cost of these alternatives and the recommended approach?
Are there any insurance solutions for silent cyber losses?
While there is some property damage capability and capacity available in the insurance market, the best approach is to review your overall coverage requirements with your insurance broker, as there are innovative and bespoke stand-alone cyber-physical covers which may provide additional protection.
The benefits of such standalone coverage include:
- Ability to better address material damage and associated business interruption losses arising out of a cyber-breach
- Potential to work as an extension to your current MD/BI insurance program and fill any silent cyber gap
- AUD$250m to AUD$300m of market capacity available
If you’d like to review or discuss your silent cyber coverage needs and options, please contact your Marsh representative, or contact us here.
You may also like to register for our upcoming Silent Cyber webinar.
For more information about the cyber insurance market, read our 2020 Australian Cyber Insurance Market Recap.
This article and any recommendations, analysis, or advice provided by Marsh (collectively, the ‘Marsh Analysis’) are not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. Marsh makes no representation or warranty concerning the application of policy wordings. Marsh makes no assurances regarding the availability, cost, or terms of insurance coverage.
LCPA No. 21/080.