Cyber risk gets physical

26 October 2017

"We are living through a digital revolution" stated Martin Delaney, Senior Vice President, Leader, Cyber & Risk Management Services at JLT Canada, at the RIMS Canada conference, in Toronto from September 24th – 27th 2017.

Delaney went on to say, "There is more money in cybercrime today, than there is in the worldwide illicit drug trade." Cybercrime is now estimated to be at USD 500 billion and it is projected to increase to USD 2 trillion by 2019 (Steve Morgan, Forbes). Last year cyber-attacks impacted the aggregates – this year it seems to be physical assets...and a discussion around business interruption and loss of revenue." Delaney used the example of a retirement facility that had its elevators shut down until the ransom was paid, to illustrate how "cyber has leapt from data to the physical realm." The recent cyber attack, "NotPetya", in July 2017 and the automated malware, "Crashoverride" that took control of the industrial control system for a power grid in the Ukraine in 2016, further support Delaney’s statements.

The emergence of physical damage from cyber attacks is concerning. Not only is information stolen or leaked out, but the overall business is impacted: production and manufacturing processes are stalled, distribution is stopped, sales are hindered and the brand reputation can be destroyed. Today, the business interruption that results from a cyber attack can cost hundreds of millions, if not more.

As noted by David White, Founder and COO at Axio, "NotPetya impacted more than 2 million computers within 2 hours of being released on the internet." It affected both small and large-scale organizations. "Maersk, a global leader in shipping and ports had to halt operations at 76 ports around the world," White explained. The company estimates the business interruption to cost them USD 300 million. The parcel carrier, FedEx, was similarly affected by NotPetya; they too believe the business interruption will cost them USD 300 million. The financial loss is only increasing as the investigations of these events continue. These are just two examples of the damage done by cyber attacks.

As mentioned by all specialists on the panel, there are many challenges within the cyber industry: cyber coverage is fairly new in the insurance market, it is constantly evolving and each cyber attack is different. These variables make it difficult for insurers to know where to place a cyber incident, especially if it causes physical damage.

One of the biggest challenges in the cyber industry for Brokers and Risk Managers is to get people to understand that the structure of their insurance program can change what solution is most suitable for them. The panelists explained that determining the appropriate cyber coverage for a business takes deep analysis and the prioritization of risks most important to that organization. According to one of the panelists, cyber insurance is "…more than providing a quick solution. It involves taking a holistic approach to understand all aspects of the business, such as where systems and processes could be impacted, and which coverage solution is best to fill any gaps."

They then added "Once you think you have your hand around your program and your risk profile, it's not something you can say, 'okay we'll re-evaluate in 3 years'." Your cyber coverage needs to be frequently examined because changes in your operations or availability in the market will guide how you address your cyber risk.

To offer a solution to these challenges, Lindsey Nelson, International Cyber Team Leader at CFC Underwriting, suggested that "there needs to be more consistency in the [insurance] markets and the [insurance] markets need to come together and actually address what cyber is." She further explained that a large part of the problem is that the term cyber is "a broad brush term and doesn't necessarily capture what an actual policy should be covering. Cyber itself is referred to as a 3rd party hack into your systems, but is also used as a term for privacy; for the unauthorized disclosure of your client information or your employee information."

Nelson later pointed out that she now sees 2 cyber claims each day, annually at CFC Underwriting. And, the cyber claims she is seeing are anything but cyber and privacy. In fact, 64% of the notifications for cyber breaches that CFC Underwriting received in 2016 had nothing to do with privacy or cyber whatsoever.

"The cyber market is only USD 2.5 billion, in comparison to the property market that has been around for decades and has hundreds of billions available in the market at the moment," Nelson further explained. Therefore, if a large infrastructure or energy company were to suffer a cyber attack, the total insured value of their assets and property would be in the billions. Consequently, one loss could be USD 10 billion, which would wipe out the entire cyber insurance market today. To further support her position, Nelson added that "the recent cyber attacks that caused physical damage amounted to 0.1% of overall exposure that the property market is taking on."

The Malaysian airplane that disappeared in 2014 was then provided as an example. Nelson explained: "Initially there was a 5% chance that it was a cyber event that caused the plane to go down. Since the incident, that chance has increased to close to 25%." Today, the insurance market is still debating whether or not it was a cyber event as they are still debating how it was caused. Since the loss was on the Airline’s property policy, it was paid out within 7 days. Nelson concluded that it's "not a matter of how it happened, but what happened and who’s going to respond and get there in an instant response perspective."

On that note, all panelists emphasized the importance of considering how quickly your organization can get back up and running after an attack, in order to mitigate potentially larger losses for your organization.

As the session concluded, Delaney suggested that both Brokers and Risk Managers have a role to play in advocating their perspectives on cyber coverage. A solution for the Insured that addresses what coverage is appropriate for physical damages caused by a cyber-attack is not settled. As mentioned by a panelist, "Cyber attacks can be quite large and complex, simultaneously impacting operations on two sides of the world." Based on the complexity of a cyber event, the panelists understand the hesitancy of the property market to step up and cover cyber related losses. They all agreed that Brokers and Risk Managers need to communicate their ideas and concerns to the insurance markets, and that the insurance markets should take more time to truly understand what cyber includes and work together to create new lines of coverage that include cyber.

For further information, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.