Insurance markets have covered physical damage losses for over four centuries. With the advent of "silent cyber" regulatory mandates in the UK, as well as rating agency concerns with insurer solvency in the event of a systemic cyber event, there is an increased focus on silent cyber exposures. Silent cyber is a term used to define exposures to cyber losses within traditional policies, which are not clearly covered.
Insurers are responding with broad exclusions to property and casualty policies that can create coverage gaps to limit previously insured resulting loss, which can leave organisations exposed. These same organisations, which are dependent on their physical damage risk being fully covered, are urging the insurance community to continue to cover physical damage losses in their all risks property policies.
The imposition of silent cyber exclusions on property programmes omits the reality that kinetic cyber risk sits at this intersection between traditional cyber risk and physical risk. The insurance market has looked to insure confidentiality, integrity, or availability of data in a dedicated cyber market with no intent to cover physical damage losses. The property market has since its formation dealt with covering physical damage to property. This "physical cyber risk" intersection is where gaps are being created by these new market exclusions.
Industrial cyber security sits between two disciplines: Technology (Information/Operational) and Engineering. Understanding how cyber risk manifests itself in an industrial setting is the first critical step for risk managers trying to assist in the decision to accept, avoid, manage, or transfer risk. In order to understand and assess the risk or exposure to cyber physical loss, engineers, cybersecurity experts, and risk managers must contribute to the risk assessment, with the engineers leading the effort.
Currently, the insurance market is still debating whether cyber risk is a distinct peril or a contributory cause to other perils, such as fire, explosion, and machinery breakdown. Underwriters need to recognise that engineering is still at the core of safety and reliability, overseeing the functional operation of equipment, which is where physical damage occurs. Although the threat of malicious actors exists, the most common types of losses are suspected to be from operational errors—and, whether they are caused by engineering or technology failures, both accidental and malicious threats have the potential to cause kinetic damage.
In 2007, an experiment took place in the US. Researchers procured and installed a 2.25 MW generator and connected it to a substation. They needed remote access to a programmable digital relay or another device to control the breaker. That access could have been through a mechanical or digital interface. The researchers used a cyberattack via remote connectivity to open and close the breakers out of sync, to maximise the stress. Each time the breakers were closed, the torque from the synchronisation caused the generator to bounce and shake, eventually causing parts of the generator to be ripped apart and sent flying off. The physical damage was a result of a physical condition being disturbed—an engineering control that could have been implemented, and not directly stemming from data manipulation. The attack vector being remotely connected should not be confused with the reason why the physical damage occurred, that was an out of phase condition. Aurora is a type of vulnerability that is associated with manipulated physics, which some experts argue is easily prevented by adding another protective relay that monitors the condition.
Differentiating between IT/OT and Engineering
For many organisations, IT/OT, and Engineering are closely intertwined, but there is a meaningful difference between Technology (Information/Operational), and what is ultimately an engineering process.
- Information Technology (IT) is the common term for the entire spectrum of technologies for information processing, including software, hardware, communications technologies, and related services. Essentially, IT is static data generated for enterprise use.
- Operational Technology (OT) is technology (hardware, software, firmware) that detects or causes a change, through the direct monitoring, and control of assets, processes, events, and industrial equipment. This is dynamic data.
- Engineering focuses on safety and reliability—the function should be responsible for the OT networks, but not putting OT networking systems in place. The operating process in the OT zone should be part of the responsibility of engineers.
Cyber security has evolved from the protection of static data to now protecting dynamic data, and thus physical assets. Companies will benefit from their engineering specialists being more involved in the cyber security decisions that are often made by IT/OT professionals with a focus on industrial control systems.
This collaboration of internal stakeholders from IT/OT, engineering, and risk management should translate into the same approach taken by property insurers. Market leading property insurers should demonstrate expertise in evaluating cyber physical risks, with the basis of the assessment starting from engineering, and further incorporating cyber security expertise by collaborating with their cyber underwriting colleagues to evaluate the implementation of those cyber security controls. The effectiveness of the cyber security controls are now heavily dependent on the engineering framework in place, to ensure that safety and reliability are both achieved in the engineering process.
Summary
Information or Operational Technology amplifies risks to an organisation, and for many clients it has created the intersection of "physical cyber risk". Traditional cyber underwriters should be involved in the analysis of cyber controls in place from an IT/OT perspective. However, they will not have the expertise to assess the engineering controls and processes that clients need to have in place to maintain the safety and reliability of operations. This is why collaboration is needed, both in the insurance market between cyber and property underwriters, as well as at the organisational level, in order to effectively manage this intersection of risk. This new way of underwriting should lead to organisations maintaining their physical damage coverage in their current property placements.
Due to the meaningful difference between IT, OT, and engineering processes, risk analysis should focus on the direct link between engineering and physical losses, and thus better understanding the cyber physical risk insurers are committing to cover for their clients.
In order to effectively manage the current market challenges, risk transfer discussions should take place up to six months ahead of any insurance renewal. Organisations may decide to engage their property and cyber brokers earlier if they need additional support in managing risk at the intersection of these two disciplines. All stakeholders (organisations, insurers, brokers) need to drive change in their approach to physical cyber risk in order to reduce uncertainty of coverage and drive meaningful change in the current property or cyber insurance markets.
