Physical risk in cyber-attacks: Lloyds outlines potential impact to businesses in a new report

Published 22 julio 2022

In a new report, published in conjunction with the Cambridge Centre for Risk Studies on 30 June 2022, Lloyds of London examines the importance of effective risk management and the role of insurers in helping customers build resilience to cyber-attacks that could cause damage to physical environments.

Part 1: The Cyber Physical Scenarios

The report uses scenario-based analysis to bring awareness to the uncertainties around the interconnected threat of cyber and geopolitics, looking specifically at the perils of state-sponsored cyber-attacks. It outlines three hypothetical, yet plausible, scenarios involving politically motivated cyber actions intended to cause physical damage:

Asymmetric Attack Exchange: A rudimentary cyber power sponsors non-state ransomware attacks by cybercriminals targeting another nation’s critical infrastructure;

Offensive Cyber Retaliation: Regional tensions over nuclear development programmes spill over into cyber-physical sabotage of critical infrastructure;

Symmetric Attack Exchange: Two sophisticated cyber powers engage in an escalation of destructive cyber-attacks on critical infrastructure.

The analysis of those scenarios includes the potential impacts on businesses and the insurance industry, including the probability to engage different classes of business. The report also contains an assessment of the exposure of different industry sectors to cyber-attacks targeting embedded fuel sources, including items like batteries and boiler fuel, hazardous materials (e.g. sewage and petroleum), infrastructure outage, machinery energy and more.

In relation to the anticipated claims impact of the three cyber physical scenarios described in the report, it concludes as follows:

Part 2: The Insurance Solutions

Further, the report praises the insurance industry for its flexibility and ability to adapt to circumstances, including the change in the political landscape. In relation to cover for physical risks arising from cyber-attacks, the authors note that the “relatively immature” cyber policy market generally excludes cover for damage to tangible property.  They attribute this to the increased clarity of contract terms, brought about by the industry-wide efforts in recent years on the “silent cyber” clarifications regarding non-affirmative cover, relevant to aviation, aerospace, transport, marine and property lines.

Where business need requires the cover of physical risk in the cyber-attack context, the report outlines two specific product innovation opportunities for the industry to consider. These are:

1. Affirmative physical asset damage offerings, where Insurers could look to create new affirmative physical asset damage cover, scalable to the size and value of each policyholder and adapted to their operational infrastructure. Premiums for these products should be prepared in conjunction with industrial engineers and security experts and should ultimately take into account both the vulnerability and the attractiveness of the industry or network as a target.

2. Business interruption (BI) and contingent business interruption (CBI) products, with clear and simple wording, offering extension of third-party coverage. However, the report warns that without clear exclusions and affirmative cover, the industry risks silent exposure to cyber physical perils which cause power outages, transport disruption, communication outages, and other damages to business infrastructure.

Finally, the report notes that the need for an informed debate about preventative or proactive steps around cyber pooling (i.e. the establishment of a commercial pool or public-private partnership in order to provide protection from cyber catastrophes). While the threat of mass-scale physical cyber-attacks is considered unlikely, the report notes that it is nevertheless “evolving” and requires planning for the future.