Peter A Clarke

As part of its Shifting Powers series Lloyds has released a timely and very thorough report on cyber security with Shifting powers: Physical cyber risk in a changing geopolitical landscape. The Report sets out scenarios and likely responses which are very helpful and practical (and which are too involved to summarise or analyse in this post).

The press release provides:

In a highly digitised economy, cybersecurity sits at the top of the agenda for businesses, boards, risk managers and governments alike.

At 38 pages it is a significant, and long, report which defies easy summary however some highly pertinent points it makes includes:

• the potential impacts on businesses are:
  • 1. Asymmetric Attack Exchange: A rudimentary cyber power sponsors non-state ransomware
    attacks by cybercriminals targeting another nation’s critical infrastructure
    2. Offensive Cyber Retaliation: Regional tensions over nuclear development programmes spill
    over into cyber-physical sabotage of critical infrastructure
    3. Symmetric Attack Exchange: Two sophisticated cyber powers engage in an escalation of
    destructive cyber attacks on critical infrastructure

Physical cyber risk

• There are also clear signs that a number of states have assembled powerful cyber arsenals, with tools capable of crippling major industries or state projects through economic and physical disruption.
• state-sponsored cyber activity is arguably more
  prevalent – albeit slower moving, largely covert and deployed alongside other foreign policy tools such as sanctions
• As part of its Shifting Powers series Lloyds has released a timely and very thorough report on cyber security with Shifting powers: Physical cyber risk in a changing geopolitical landscape.

  The press release provides:

  In a highly digitised economy, cybersecurity sits at the top of the agenda for businesses, boards, risk managers and governments alike.

  In recent years, malware and ransomware attacks have been causing severe disruption for global businesses and their supply chains. In addition to the rise in malware and ransomware attacks, the threat of state-sponsored cyber-attacks has become a significant focus for businesses and governments.

  Whilst most cyber-attacks are digital, some result in tangible disruption or damage to the physical environment – these types of attacks are becoming increasingly common place. This is, in large part due to the increasingly interconnected nature of systems and services which expose businesses to perils from physical cyber-attacks such as fires, explosions, flooding or bodily injury.

  At Lloyd’s we understand the complex and potentially systemic risks in the cyber class and are committed to supporting a resilient cyber market. Cyber physical represents a key opportunity for insurers to develop a sustainable cyber offering that can help protect customers from a risk that has reached the highest level of priority in boardrooms around the world.

  At 38 pages it is a significant, and long, report which defies easy summary however some highly pertinent points it makes includes:

  • the potential impacts on businesses are:
    •  1. Asymmetric Attack Exchange: A rudimentary cyber power sponsors non-state ransomware
      attacks by cybercriminals targeting another nation’s critical infrastructure
      2. Offensive Cyber Retaliation: Regional tensions over nuclear development programmes spill
      over into cyber-physical sabotage of critical infrastructure
      3. Symmetric Attack Exchange: Two sophisticated cyber powers engage in an escalation of
      destructive cyber attacks on critical infrastructure

  Physical cyber risk

  • There are also clear signs that a number of states have assembled powerful cyber arsenals, with tools capable of crippling major industries or state projects through economic and physical disruption.
  • State-sponsored cyber activity is arguably more prevalent – albeit slower moving, largely covert and deployed alongside other foreign policy tools such as sanctions
  • Non-state actors increases the risk of cyber catastrophes through cyber terrorism, cyber protest, and other forms of cyber insurgency increases.
  • Profit is also a powerful driver of non-state cyber activity that has the potential to increase cyber physical threats such as the inoperability of systems during 2017’s WannaCry attacks.
  • there has been an alarming increase in cyber criminals targeting critical national infrastructure systems and by leveraging significant public and political pressure on victims  have been able to extract heavy ransoms. States have responded by applying dissuasion and suppression to ransomware gangs, reminiscent of the “global war on terror” in their focus on investigations, legal action and strong public rhetoric.
  • A deliberately physically destructive cyber attack is a difficult thing to accomplish, requiring specialist hackers and detailed strategic planning with the capacity to carry out such attacks currently predominantly sits within nation states and the groups which they support
  • Targeted physical attacks by government-sponsored groups are far more common than systemic ones, partly because smaller attacks create less of an outcry
  • Businesses are vulnerable to attacks which affect third-party suppliers with less secure networks, or which are located in parts of the world where cyber disruption may increase sharply and suddenly.
  • Cyber crime tends to focus on impacting three major components of these types of networks: controllability, observability and operability (known as the “CO2 framework”). Operability attacks are the most directly physically damaging.

  Cyber physical scenarios

  • Lloyds identify three broad categories or ‘tiers’ of cyber operations through which to discuss geopolitical tensions and escalations with
    • Tier 1: are world-leading strengths in all the categories in the methodology
    • Tier 2: are world-leading strengths in some of the categories
    • Tier 3: have strengths or potential strengths in some of the categories but significant
      weaknesses in others
  • Countries are assessed across 7 categories of cyber capability:

i) Strategy and doctrine,
ii) Governance, command and control,
iii) Core cyber-intelligence capability,
iv) Cyber empowerment and dependence,
v) Cyber security and resilience,
vi) Global leadership in cyberspace affairs,
vii) Offensive cyber capability.

• • healthcare organisations have always been a cybercriminal favourite but the trend was further reinforced at the height of the COVID-19 outbreak in 2020, when phishing emails and other cyber attacks on hospitals increased, with cyber criminals seeing the pandemic as an opportunity to exploit and draw profit.

Insurance solutions

• • Demand for cover has grown, as have the number of increasingly specialist policies nevertheless insurance penetration remains low even in industrialised countries.  The share of global cyber losses in OECD countries that are uninsured is likely above 70% and potentially high as 85% to 90% of all cyber losses incurred
  • There are around 20 different types of cover for cyber losses currently available in the global insurance market, amounting to around $6 billion in total affirmative cover. Around 20% of this is insured at Lloyd’s.
  • The vast majority of cyber products provide cover for triggers such as:
    • data exfiltration,
    • contagious malware,
    • distributed denial of service, and
    • financial thefts,
  • Key loss processes include the failure of counterparties, or of suppliers who rely on networked systems and are vulnerable to outages and software failures. These account for roughly 90% of all business damage as a result of cyber attack, technological failure, and other malicious digital interference
  • The vast majority of cyber losses concern non-physical damage and disruption.
  • Cyber insurance policies are:
    •  “affirmative” – meaning they explicitly cover cyber risk and
      specific losses associated – or
    • “non-affirmative”, meaning coverage is non-explicit.  It is also described as “silent cyber”.   It refers to the ambiguous coverage for cyber attacks in pre-existing policies and is an issue of unknown exposure for insurers. It is particularly relevant in aviation, aerospace, transport, marine and property lines, where business interruption losses or physical damage resulting from digital interference may be claimed under traditional, all-risk policies.
  • While property and contents damage insurance may not specifically exclude cyber as a trigger, the lack of specificity can leave businesses exposed.
  • Policies with no explicit exclusion, an implicit coverage grant, or where language was ambiguous could be triggered by losses.
  • Cover for physical asset damage may either be purchased be purchased as part of an inclusive cyber policy or considered as a ‘silent’ cyber coverage. It is now more likely that customers are not covered unless they have bought affirmative cover
  • Most cyber policies specifically exclude cover for physical damage and related business interruption stemming from digital interference.
  • Some insurers have developed specialty, or ‘enhanced’ coverage types for physical damage from cyber triggers, which are marketed directly to technology or manufacturing firms. These policies have strict limits and only apply to first parties, meaning that there is no provision for contingent business interruption.  The limits for these policies are much higher than typical cyber policies applied to non-physical impacts.
  • There are no specific insurance provisions for bodily injuries or deaths caused by cyber attacks.

Product innovation opportunities

• • There are two avenues for development:
    • Affirmative physical asset damage offerings.  This involves creating new affirmative physical asset damage cover, scalable to the size and value of each policyholder and adapted to their operational infrastructure. It can sit alongside the provision of expert IT guidance, whilst evidence of consistent
      cyber security risk management practices could also be used to discount policy premiums. The exposure estimate should ultimately take into account both the vulnerability and the attractiveness of the industry or network as a target and use this to determine appropriate policy wordings and limits for new cyber policies or add-ons.
    • Business interruption and contingent business interruption products for losses resulting from cyber physical attacks.  Clear and simple wording in business interruption and contingent business interruption  products to ensure mutual security in times of increased risk. Wording assessments for any new coverages are essential in the cyber insurance field, and coverage caps will need to be specified.