What if a major cyber attack strikes critical infrastructure?
Can you imagine a week of working without the Internet? Or maintaining a production line without electricity? Most companies would not be able to continue their daily operations and would be facing significant losses. These threats have created both a need for new types of cyber insurance coverage and an increased risk of extreme losses for insurers. Here are the pitfalls to look out for.
Throughout the insurance industry, it is common practice to refer to the risk of failures of critical infrastructure and exclude it from cyber insurance policies. At Munich Re, in this context we refer to critical infrastructure, as follows:
- Common services all companies or the general public rely on, such as power, telecommunications or the Internet, where such services are not under the control, operation or ownership of the insured in question.
- Both the physical components and the underlying services required for such networks to function, such as, in the case of the Internet, Internet Service Providers (‘ISPs’) and the Domain Name System (‘DNS’).
- Failure of these services refers to periods when the network is fully or partially, globally or regionally unavailable due to an unintentional and unplanned event impacting a large number of customers.
The duration of the outage has to be long enough to impact a business’s operations, which results in a loss of income or creates a liability for the controller, operator or owner of the network. Some outages may also result in a loss of income or the creation of a liability for the customers of the controller, operator or owner of the network.
Why are we so worried about infrastructure failure?
An unintentional power or Internet failure (including Internet-based services) carries a systemic accumulation risk, as it would impact a large number of customers who could be exposed to significant business interruption (‘BI’) losses and other first-party elements of a typical cyber insurance policy. Due to the uncertainty surrounding such an event, there is currently no adequate way to model the failure of infrastructure in quantitative terms. And even with ever-evolving modelling approaches, insurers will still face risks that are seen as uninsurable due to the underlying accumulation potential. This becomes clearer when looking at the following scenarios:
Scenario 1: Outage of electricity
Electricity is a fundamental requirement for industrialised societies and economies to function. Both ‘brownouts’ (reduced voltage) and ‘blackouts’ (complete failure of the electricity supply) are risks to consider. A brownout or blackout of a few minutes may cause only minor inconvenience, but a blackout of a few hours or even several days would have a significant impact on our daily life and the entire economy.
The major concern is the potential impact on critical infrastructure: communication and transport, heating and water supply, production processes and trading, emergency services (fire, police, ambulance), hospitals, financial trading, cash machines and supermarkets. Ultimately, it would lead to a catastrophic scenario, including civil unrest.
Possible triggers causing a blackout include well-known perils (natural catastrophes, human error and terrorist/war-like attacks) to the more recent phenomenon of cyber attacks. Different vulnerabilities can be exploited to cause imbalances in a power grid, such as hackers infiltrating control systems or manipulation of transformers or generators.
Consequences can include physical destruction of critical parts in the network (generators, transformers, etc. and in the future, smart grids), triggering one of the tripping criteria, which can lead to a chain reaction causing the power grid to shut down. If physical destruction occurs, this would directly trigger insured business interruption or contingent business interruption losses, where extensions for critical suppliers in affected property policies exist. Such an outage caused by a cyber attack presents significant accumulation potential for so-called ‘silent’ cyber losses with a physical damage provision in property insurance.
Yet, an even larger accumulation potential exists for business and contingent business interruption losses without a physical damage provision, as is commonly covered within cyber insurance policies. During a long-lasting outage, unless a company has back-up generation that does not rely on the affected external network, there would likely be a significant, if not total, cessation of work. It can be expected that most companies in the affected geographical area will suffer an interruption to their business operations and incur substantial losses. Depending on the severity of the attack, the outage may last for several days or even weeks, which would undoubtedly exceed waiting periods (or ‘time deductibles’) agreed in business interruption or contingent business interruption (‘CBI’) coverages. This scenario may lead to extensive and widespread CBI losses without a physical damage provision.
A further subsequent consequence of electricity outages can be large-scale Internet failures. Of course, these can also occur independently.
Scenario 2: Failure within Internet infrastructure
Cyber attacks pose an increasing threat to individual companies and Internet infrastructure, with Distributed Denial of Service (‘DDoS’) attacks gaining ground as a prominent example of one such source of risk. Here, the perpetrator seeks to render a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. If the attack hits either a DNS server or a domain, it may cause widespread business interruption, in particular to the e-commerce industry. In addition, all other business segments that use the Internet may suffer a business interruption loss without any physical losses or damage to data, simply because the DNS cannot cope with the extremely high number of requests.
However, a disruption of online services can not only occur through malicious activities. A software malfunction leading to a telecommunication network outage or an Internet Exchange Point outage, can have similar consequences for the economy as cyber attacks. Additionally, with IoT technology on the rise, an Internet failure can affect the manufacturing industry on a global scale, as machines are unable communicate via a network as intended, with ramifications for the production process and supply chains. This development will increase the overall accumulation potential.
What scenarios are and are not considered insurable?
There are failure/outage scenarios that we consider insurable. This includes the failure of computer systems under the control of the insured, as well as additional items under their direct control, such as back-up power generators. In these cases, accumulation potential from dependencies on external infrastructure can be avoided. Additionally, the outage of third-party entities (e.g. IT service providers) can be covered, except for infrastructure considered critical for networks like the Internet.
Modelling approaches used by insurers to quantify cyber risk are continually improving. However, certain sources of cyber risk are regarded as uninsurable due to the underlying accumulation potential, such as in the two scenarios outlined above. In terms of cyber, the accumulation exposure that Munich Re is concerned with is an infrastructure failure impacting a large number of clients, with huge exposure to business interruption losses and certain other first-party elements of a typical cyber policy. Due to its systemic nature and the uncertainty surrounding the potential quantum of such an event, Munich Re does not believe the failure of such infrastructure is insurable, and as a consequence does not want to insure this kind of risk at this time.
Munich Re’s approach is based on understanding risks, assessing them adequately and thus making them insurable in order to provide its clients with comprehensive risk transfer solutions and services. This can only be done in close cooperation with experts from insurance and reinsurance, insureds and external partners, in order to develop a common understanding of how cyber risks should be dealt with. We are ready to accept the challenge.