The threat of cyber-physical losses

The insurance market has been interested for some time in the increasing threat posed by cyber incidents. The market for affirmative cyber cover has grown significantly, and insurers and regulators have sought to understand how cyber losses might be covered under policies that do not affirmatively provide cyber cover (i.e. silent cyber). Cyber incidents have generally been viewed as affecting Information Technology (IT), rather than physical, systems. And the losses occasioned by cyber incidents have generally been seen as not involving physical damage (but, e.g., business interruption or data rectification).

Lloyd’s report regarding threats to industrial control systems

Lloyd’s report of February 2021 considers a form of cyber risk that has received relatively less attention – cyber-physical risk, which is the risk that cyber incidents result in physical losses. Closely connected with the growing threat of cyber-physical risk is the proliferation of industrial control systems (ICS), in which IT and operational systems are integrated.  This integration is occurring in key industries. For example, in the oil and gas sector, sites are incorporating new technologies, such as the Internet of Things (IoT) and the cloud, for automation and intelligence. This integration means that a cyber incident has the potential not only to affect IT systems but also to impact operational systems and, through this, have physical consequences, e.g. causing explosions at refineries. Such incidents are not without precedent: a recent ransomware attack caused a US natural gas compressor facility to shut for two days. However, we are yet to see an attack on the scale imagined in the Lloyd's report.

The Lloyd’s report also identifies vulnerabilities in other key sectors (manufacturing, transportation and shipping), and the most likely pathways through which an attack would be launched. Lloyd’s considers that only a nation-state (or an affiliated actor) would possess the resources and level of technical sophistication necessary to initiate a large-scale malicious attack on ICS. Lloyd’s notes in this context uncertainties surrounding policy exclusions relating to nation states and ‘acts of war’ (as have been considered by the US courts in a handful of recent cases).

The report emphasises that, although a large-scale incident of this nature is unlikely to occur imminently, ICS systems, and threats to them, are rapidly evolving. Lloyd’s calls for steps to be taken to understand this risk before an incident causes market-wide losses (including by physical damage). Lloyd’s encourages insurers to continue to monitor the threat landscape and to assess how traditional coverages might be impacted (including how certain standard exclusions might operate), noting the potential impacts of a cyber-physical incident on the following classes of business:

Against the backdrop of the Covid-19 pandemic and the FCA Business Interruption Test Case, we expect that market participants will be keenly interested in shock events with the potential to impact the market in unexpected ways. You can read the report by Lloyd’s, Guy Carpenter and CyberCube in full here.