A number of government supported reinsurance pools are looking at offering cyber terrorism cover, which should encourage the development of a more robust market for cyber terrorism insurance cover.
A number of reinsurance pools have extended their coverage to include cyber terrorism. The US and UK pools now both cover cyber terrorism to some degree, while Australia is consulting on whether to extend its offering to include property damage cyber terrorism.
Most recently, the UK’s terrorism market reinsurer Pool Re extended its terrorism offering to include property damage and business interruption using a cyber trigger. The cover, which will exclude intangible assets, will be offered as standard to all policyholders that purchase terrorism insurance from Pool Re insurer members.
Pool Re is also currently working with the UK government to extend cover to include terrorist acts that cause non-damage business interruption. However, Pool Re does not intend to provide non-damage cyber terrorism cover and will continue to restrict cyber terrorism cover to damage.
A recent JLT Re Viewpoint terrorism report noted that a number of pools have taken steps to narrow protection gaps by extending coverages to include new risks such as cyber. It is hoped that this will stimulate competition in the private market and increase the supply of new forms of cover as more primary and reinsurance carriers offer additional capacity to meet building demand.
The example of Pool Re is a case in point. Pool Re was able to extend its cover to cyber terrorism after it commissioned academic research from the Cambridge Centre for Risk Studies in order to develop terrorism scenarios and modelling tools. Pool Re was also able to purchase retrocession reinsurance with the addition of property damage cyber terrorism when its contract was renewed this year.
Cyber risks have grown considerably in recent years, reflecting the frequency, scale and sophistication of attacks, as well as increased dependence on technology.
Today’s cyber threat is multi-dimensional, with the impacts from attacks taking many different forms, including loss of data and software, theft of intellectual property, property damage, business interruption and reputational damage, to name only a few.
And the risks look set to escalate further due to technological advancements, including the Internet of Things (IoT), the expanding use of cloud computing, smart grids, embedded medical devices and the rise of intelligent machines. This raises the prospect of terrorist organisations targeting corporations by hacking into their networked technology systems in order to facilitate physical attacks. Or, equally as troubling, non-state actors could acquire capabilities that enable them to carry out cyber attacks that cause physical damage or loss of life.
A report from Pool Re and the Cambridge Centre for Risk Studies (CCRS) in 2017 concluded that a physical cyber terrorist attack is only a matter of time. The report noted that terrorist groups have yet to successfully “weaponise” computer systems, but the broadening of attack surfaces and the growing technical capabilities of threat actors suggests that cyber terrorism is now looking more likely.
Pool Re found that cyber attacks in recent years have shown the potential for physical damage and business interruption, including a 2014 cyber attack on a German steel mill, a 2016 attack against the Ukrainian power grid, as well as the NotPetya malware attack in 2017, which caused major disruption and damage to data.
CCRS developed 40 cyber terrorism scenarios, including attacks against industrial systems by cyber terrorists, as well as cyber attacks against airports and airlines, power and healthcare.
It found that attacks against a chemical reactor, rail infrastructure, aircraft and ordnance were the four most extreme scenarios with respect to both scale of physical damage and mortality.
The acquisition of cyber capabilities by terrorist groups has long been expected but has so far failed to materialise and there have been no known terrorist attacks using cyber means to trigger physical damage and destruction, according to Pool Re.
Although terrorist groups are currently unlikely to have the expertise needed to mount a destructive cyber attack, certain movements are thought to be seeking to acquire capabilities to launch attacks with tools that can now be purchased or hired on the dark web.
According to JLT Re’s report, this raises serious challenges for insurance. At present, exclusions in both terrorism and cyber markets are muddying the waters and a more integrated approach is needed. Malicious cyber attacks by quasi state actors or proxies are a credible concern and conventional war exclusions may unwittingly preclude coverage, the report argued.
Pool Re’s report also notes that physically destructive cyber attacks could be difficult to trace and identify as an act of terrorism and even where an attack appears to be terrorism related there is potential for considerable ambiguity. It can take a long time for forensic investigators to determine how a cyber attack was carried out, and some never confidently establish the identity of the perpetrators.
Cyber pools extend cyber cover
Under the US government-backed terrorism facility, Terrorism Risk Insurance Program (TRIP), insurance policies that contain cover for cyber risk - or that do not exclude losses arising from a cyber event - are covered. Cyber terrorism cover was extended further in January 1, 2016, when an amendment to TRIP brought stand-alone cyber liability coverage into the programme. As a result, liability, breach costs and business interruption arising out of claims related to unauthorised access to personally identifiable or sensitive information due to viruses, malicious attacks or system errors are now covered by the programme.
The US Treasury is currently reviewing the effectiveness of TRIP and is due to release its findings at the end of June 30, 2018. In compiling the report the Treasury sought comments on cyber terrorism risk and asked if there are any reforms that would encourage the take up of insurance for cyber-related losses arising from acts of terrorism.
The Australian government is considering whether to cover cyber terrorism under its terrorism insurance pool, the Australian Reinsurance Pool Corporation (ARPC). In its 2018 Triennial Review of the Terrorism Insurance Act 2003 (TI Act), the Australian Treasury asked stakeholders for their views on whether the risk of cyber terrorism causing physical property damage should be included in the scheme by removing over-riding policy exclusions for cyber terrorism.
The French terrorism insurance pool GAREAT provides some cover for cyber terrorism, but this is generally limited to physical damage and business interruption. According to a recent report, GAREAT does not currently extend to non-damage business interruption for cyber and coverage is less certain when it comes to loss of data. However, GAREAT modified its rules in 2017 to exclude non-consecutive non-material damages caused by acts of cyber terrorism from cyber attacks, malware and the like.
Download Cyber Decoder Newsletter
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org