With the risk of some terrorists transferring their activities into cyber space, companies and insurers will need to adjust their risk management and transfer solutions.
Cyber terrorism is arguably one of the biggest emerging insurance risks. The need for the insurance market to cover property damage and direct business interruption (BI) caused by terrorist hacks has become ever-more apparent in the last year, following various large-scale cyber-attacks.
Take, for example, the NotPetya ransomware attack in June 2017. The American pharmaceutical company Merck reported severe disruptions to its manufacturing capabilities, limited Merck’s ability to produce vaccines and medications. The total loss to Merck has been estimated at hundreds of millions of dollars.
Worst-case cyber terrorist incidents would include an attack on aviation infrastructure, railways, chemicals plants and munitions factories.
Meanwhile, Danish shipping giant A.P Moller-Maersk reported system failure and an inability to access emails. Business volumes were negatively affected for a couple of weeks, with Q3 results expected to be hit by around $200-300 million.
Previous international incidents include a December 2015 power outage in Ukraine, which was suspected to have been the work of the Russian state. The blackout lasted for eight hours and affected 225,000 people. In 2012, Saudi Aramco faced a vast cyber-attack that crippled the company, causing infrastructure to come offline.
Terrorist hacks of installations including power plants, dams and factories have entered threat plans for insurers. Worst-case cyber terrorist incidents would include an attack on aviation infrastructure, railways, chemicals plants and munitions factories, according to research that Pool Re commissioned from Cambridge University's Centre for Risk Studies.
For instance, Pool Re recently launched reinsurance for cyber terrorism, which will become effective on 1 April 2018. The cover marks the first major change to Pool Re's remit since chemical, biological, radiological and nuclear attacks were added in 2002.
This development comes at a time when some Property insurers – whose profit margins have been placed under particular pressure following recent market losses – may start rowing back on some of the cyber terrorism coverage they provide through existing policies. This trend could well start to develop across 2018 and into 2019.
Companies with a large physical footprint – particularly critical infrastructure companies – could be particularly exposed to cyber terrorism.
This may spur an even greater need for, and further creation of, standalone specialist insurance policies covering first-party physical and non-damage BI losses from unauthorised cyber access.
Property policies may still provide some limited coverage, but this may be less likely in future. As a result, certain companies and industries with a large physical footprint – particularly critical infrastructure companies – could be particularly exposed to such risks, and find themselves under-insured.
This underinsurance could manifest itself between different insurers in the same insurance tower. In the event of a large claim, where numerous insurers would almost certainly be involved, there might be a lack of clarity, consistency and conformity over the extent that first-party physical damage and BI losses are covered. This confusion could cause considerable confusion and delays when trying to settle a claim.
Most countries have yet to suffer a major terror attack with an officially-classified ‘cyber trigger’. However, as technology becomes ever-more entrenched in organisations’ operations and infrastructures, the risk of this occurring is only likely to increase.
For more information, please contact Adam Watson, Head of North American Property & Terrorism Team, on:
+44 (0)20 7933 2022