Throughout the insurance industry, it is common practice to refer to the risk of failures of critical infrastructure and exclude it from cyber insurance policies. At Munich Re, in this context we refer to critical infrastructure, as follows:

• Common services all companies or the general public rely on, such as power, telecommunications or the Internet, where such services are not under the control, operation or ownership of the insured in question.
• Both the physical components and the underlying services required for such networks to function, such as, in the case of the Internet, Internet Service Providers (‘ISPs’) and the Domain Name System (‘DNS’).
• Failure of these services refers to periods when the network is fully or partially, globally or regionally unavailable due to an unintentional and unplanned event impacting a large number of customers.

The duration of the outage has to be long enough to impact a business’s operations, which results in a loss of income or creates a liability for the controller, operator or owner of the network. Some outages may also result in a loss of income or the creation of a liability for the customers of the controller, operator or owner of the network.

Electricity is a fundamental requirement for industrialised societies and economies to function. Both ‘brownouts’ (reduced voltage) and ‘blackouts’ (complete failure of the electricity supply) are risks to consider. A brownout or blackout of a few minutes may cause only minor inconvenience, but a blackout of a few hours or even several days would have a significant impact on our daily life and the entire economy.

The major concern is the potential impact on critical infrastructure: communication and transport, heating and water supply, production processes and trading, emergency services (fire, police, ambulance), hospitals, financial trading, cash machines and supermarkets. Ultimately, it would lead to a catastrophic scenario, including civil unrest.

Possible triggers causing a blackout include well-known perils (natural catastrophes, human error and terrorist/war-like attacks) to the more recent phenomenon of cyber attacks. Different vulnerabilities can be exploited to cause imbalances in a power grid, such as hackers infiltrating control systems or manipulation of transformers or generators.

Consequences can include physical destruction of critical parts in the network (generators, transformers, etc. and in the future, smart grids), triggering one of the tripping criteria, which can lead to a chain reaction causing the power grid to shut down. If physical destruction occurs, this would directly trigger insured business interruption or contingent business interruption losses, where extensions for critical suppliers in affected property policies exist. Such an outage caused by a cyber attack presents significant accumulation potential for so-called ‘silent’ cyber losses with a physical damage provision in property insurance.

Yet, an even larger accumulation potential exists for business and contingent business interruption losses without a physical damage provision, as is commonly covered within cyber insurance policies. During a long-lasting outage, unless a company has back-up generation that does not rely on the affected external network, there would likely be a significant, if not total, cessation of work. It can be expected that most companies in the affected geographical area will suffer an interruption to their business operations and incur substantial losses. Depending on the severity of the attack, the outage may last for several days or even weeks, which would undoubtedly exceed waiting periods (or ‘time deductibles’) agreed in business interruption or contingent business interruption (‘CBI’) coverages. This scenario may lead to extensive and widespread CBI losses without a physical damage provision.

A further subsequent consequence of electricity outages can be large-scale Internet failures. Of course, these can also occur independently.

Cyber attacks pose an increasing threat to individual companies and Internet infrastructure, with Distributed Denial of Service (‘DDoS’) attacks gaining ground as a prominent example of one such source of risk. Here, the perpetrator seeks to render a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. If the attack hits either a DNS server or a domain, it may cause widespread business interruption, in particular to the e-commerce industry. In addition, all other business segments that use the Internet may suffer a business interruption loss without any physical losses or damage to data, simply because the DNS cannot cope with the extremely high number of requests.

However, a disruption of online services can not only occur through malicious activities. A software malfunction leading to a telecommunication network outage or an Internet Exchange Point outage, can have similar consequences for the economy as cyber attacks. Additionally, with IoT technology on the rise, an Internet failure can affect the manufacturing industry on a global scale, as machines are unable communicate via a network as intended, with ramifications for the production process and supply chains. This development will increase the overall accumulation potential.

There are failure/outage scenarios that we consider insurable. This includes the failure of computer systems under the control of the insured, as well as additional items under their direct control, such as back-up power generators. In these cases, accumulation potential from dependencies on external infrastructure can be avoided. Additionally, the outage of third-party entities (e.g. IT service providers) can be covered, except for infrastructure considered critical for networks like the Internet.

Modelling approaches used by insurers to quantify cyber risk are continually improving. However, certain sources of cyber risk are regarded as uninsurable due to the underlying accumulation potential, such as in the two scenarios outlined above. In terms of cyber, the accumulation exposure that Munich Re is concerned with is an infrastructure failure impacting a large number of clients, with huge exposure to business interruption losses and certain other first-party elements of a typical cyber policy. Due to its systemic nature and the uncertainty surrounding the potential quantum of such an event, Munich Re does not believe the failure of such infrastructure is insurable, and as a consequence does not want to insure this kind of risk at this time.

Munich Re’s approach is based on understanding risks, assessing them adequately and thus making them insurable in order to provide its clients with comprehensive risk transfer solutions and services. This can only be done in close cooperation with experts from insurance and reinsurance, insureds and external partners, in order to develop a common understanding of how cyber risks should be dealt with. We are ready to accept the challenge.