Out-Law / Your Daily Need-To-Know

Lloyd's report highlights implications of major cyber attack for insurers

Out-Law News | 09 Jul 2015 | 4:27 pm | 3 min. read

A major cyber attack on the US power grid could cost the US economy hundreds of billions of dollars and expose insurers to major costs from the widespread claims they would face, an insurer has said following a hypothetical study.

Lloyd's of London, together with the University of Cambridge's Centre for Risk Studies, assessed what the insurance implications of a cyber attack on the US power grid would be (68-page / 6.72MB PDF) in a new report. The report outlined a hypothetical scenario where hackers use malicious software to exploit vulnerabilities in electricity generators.

The theoretical attack caused an electricity blackout in 15 US states and left 93 million people without power, some of which for a number of weeks. Under the scenario that is fleshed out, there is "a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses".

Lloyd's said that whilst "improbable", an attack of this nature is "technologically possible". It estimated that the "economic impacts" stemming from the theoretical attack would include damage to assets and infrastructure, reduced revenue for electricity suppliers and loss of sales for businesses. If the attack happened in reality, it would cost the US economy $243 billion and perhaps even up to $1 trillion if the "most extreme version of the scenario" manifested itself, it said.

Such an attack would have implications for insurers, Lloyd's said. Insurance losses from the incident would be $21.4bn, and possibly as much as $71.1bn, it estimated.

Cyber risk and insurance expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said: "Insurers will be concerned about the aggregation of risks and claims. Myriad potential exposures arise in this scenario across a number of different sectors."

Lloyd's said insurers would have to respond to "a broad range of claims that could be triggered by disruption to the US power grid". Birdsey said insurers could face various claims including business interruption losses, other first party losses incurred in managing incidents, third party claims and network damage costs.

In its report, Lloyd's said power generators could claim for property damage, business interruption and regulatory costs and fines. Insurers could also face claims from companies that power generators sue to recover their own losses and from businesses that suffer as a result of any blackout, for example from those that lose "perishable cold store" stock and that otherwise are disrupted from carrying out their business, it said.

Other claims could come from companies indirectly affected by the power outage, such as those operating in the supply chain of businesses directly disrupted by the attack. Homeowners might also lodge claims where their property is damaged as a result of a loss of power, for example from the defrosting of freezer contents, it said. Insurers might also have to foot the bill for event cancellations stemming from a lack of power, Lloyd's said.

Insurers can prepare for such an attack by innovating with the products they sell to address cyber risk and by "reducing uncertainty concerning cyber risk" through "research and analysis", the report said.

"Data will be a key factor for enabling further analysis and the development of models to enhance the understanding of cyber risk," Lloyd's said. "The systemic, intangible, constantly evolving nature of cyber threats presents significant challenges for gathering the data required to achieve accurate quantification of the risk for insurance portfolios which could span the global economy. A key mechanism, therefore, by which any insurance or research organisations might be able to achieve the insight needed to capture the full extent of the risk could be enhanced data exchange."

Information sharing among insurers can also help address the cyber risks they face, Lloyd's said.

Birdsey said: "One of the main challenges in the UK, which has been recognised by government, is that a number of insurance markets do not have detailed management information including loss ratios in order properly to price cyber insurance premiums."

The Lloyd's report said: "The scale of event described in this report reveals the very wide scope of data that insurers require in order to reduce uncertainty concerning severe events. The sharing of insurance loss data attributable to cyber events among insurers could contribute to this, but this is unlikely to be sufficiently comprehensive in isolation to accurately assess extreme events spanning the full spectrum of threat and every economic sector. Voluntary sharing of cyber attack data, involving a wide range of parties with an interest in developing resilience to cyber attack, offers the most promise for enabling the insurance solutions required to meet this key emerging risk."

A recent report from Standard & Poor’s said insurers need to be cautious when moving into the cyber insurance market because of the challenge in underwriting and pricing risk, according to the Cyber Risk Network.