Cyberwarfare and Insurance: Be Afraid
As this blog is being written, attention is focused on North Korea’s potential ability to deliver a nuclear bomb on US territory.
However, there is another, less speculative threat, which could be just as destructive: a cyberwarfare attack which disables power generation and power transmission grids. Loss of power for any extended period could produce critical shortages in food and water, widespread disease, and civil disorder.
Definition: Cyberwarfare is an attack on societally critical technology systems and infrastructure—by a state actor, or its surrogates, or a terrorist group—designed to cause widespread human and property losses.
Governments and think tanks are warning of nightmare cyberwarfare scenarios. We may have already seen a cyberwarfare dress rehearsal: the NotPetya attack which originated in Ukraine, a political/military hotspot. From societal and national security perspectives, these are very serious matters. But, how any threatened country should act or react is beyond the scope of this blog.
However, there are also significant implications for the insurance industry—have yet to be adequately recognized and addressed.
It is true that the industry has mobilized to provide coverage for cyber risk losses (e.g. data theft, privacy violations, disruption of technology, etc.). But there is a lack of appreciation of how cyberwarfare (not cyber risk) attacks could spill over into insured losses in: commercial and personal auto and property, liability, business interruption, workers comp, life, health, and other lines.
While NotPetya and WannaCry first appeared to be ransomware attacks (i.e. cyber risk losses), they may in fact have been aimed at broadly erasing data and disrupting commercial operations. For example, NotPetya may not have directly targeted, Maersk, the world's biggest container shipping line and operator of 76 ports, but nevertheless it severely crippled Maersk’s operations of port terminals in the US, the Netherlands, Spain, and India.
In a recent prescient report, Lloyds of London (working with Cyence a firm providing cyber risk economic modeling), estimated insured losses under two scenarios: an attack by “hacktivists” on cloud providers, and a criminal attack for financial gain exploiting a widespread operating system vulnerability. Insured losses for the first scenario ranged from US$620 million to US$8.1 billion; and for the second scenario from US$762 million to US$2.1 billion.
Note: neither scenario was based on a cyberwarfare attack.
It is true that almost all insurance policies have exclusions for losses caused by acts of war—and that TRIPRA 2015 provides an US federal backstop for the insurance losses caused by terrorist attacks. However, given the severe and broad social and economic disruption that a successful cyberwarfare attack would cause, insurers may be under severe political pressure to pay now and litigate later.
So what should insurers and the entire insurance industry do? First, start to understand and model cyberwarfare risks. Second, publicly and privately advocate hardening critical infrastructure’s physical and technological defenses against cyberwarfare attacks. Third, build contingent capital reserves by working with government, reinsurers and other sources of capital. And fourth, support strengthening national defense measures against cyberwarfare attacks.
Taken together, these may be only partial solutions—but they are a start.