Cyber-type non-physical triggers mainly involving industrial security or control systems have the ability to cause substantial physical damages and resulting business interruption. The losses could be huge and the risks will only get bigger.*
Much of the focus on cyber risks from businesses and their insurers has been on data protection, particularly protecting consumer details. This focus is likely to increase in Europe as the forthcoming EU General Data Protection Regulation nears implementation. However, other cyber risks are being ignored by many firms. “Privacy and consumer data losses are just one small element of cyber risk,” says Sam Tiltman, JLT Global Communications, Technology & Media (CTM) Practice Leader.
“The prospect of cyber attacks causing physical damage is among the most striking of these, yet it has been largely ignored,” he warns. Partly this is due to the relatively small number of reported losses. Many of the worst discussed losses to date have been theoretical – such as Lloyd’s’ recent report, Business Blackout, on the potential impact of cyber attack on the US power grid (the plausibility of which has been questioned by some industry figures) – or experimental, in the case of the two security researchers who took control of a Jeep over the internet. Yet there are good reasons to take the threat seriously.
How many losses?
First, the potential impact is huge. Lloyd’s Business Blackout report estimated the economic impact from the scenarios it examined would be from USD 243 billion to USD 1 trillion; with insured losses estimated between USD 21.4 billion and USD 71.1 billion (the report describes all such theoretical scenarios as realistic, although some parties have queried this).
Second, unlike data breaches, there is no regulation to compel businesses to publicise incidents, which means that, despite some high-profile incidents, many cases are likely to be unreported.
“Not many companies will put their hands up to an incident if they don't have to,” says Katie Moore, research and development manager at Airmic.
What are the implications for the CTM industry?
Potential loss scenarios based upon the broad and diverse sectors in which his CTM Corporations operate in:
- Telecommunications – destruction of critical infrastructure such as data centres, switch centres, payment processing centres and potentially even more localised damages at broadcasting towers.
- Semiconductors and technology manufacturers – plant damages and/or more isolated damage to critical equipment within the supply chain, leading to business interruption. Potential loss scenarios could potentially include fire and explosion, flooding events (safety systems), disruption or contamination of clean room areas and simply just shutting down key infrastructure/equipment.
- Media – broadcasting centre damages, equipment damage, interruption to production and transmission (in particular to live content).
This is a preview of our detailed paper, to obtain the full version please contact Sarah Stephens, Head of Cyber, Technology and Media E&O on +44 (0)20 7558 3548 or email firstname.lastname@example.org alternatively contact Kate Payne, Head of Comm Tech on +44 (0)20 7528 4445 or email email@example.com
*The following is a Communications, Technology and Media (CTM) adaption of a recent article written for JLT Specialty’s in-house Risk Specialist publication, which is a follow-on from a discussion held at the AMS 15 CTM conference June 2015.