As cyber threats increase, alongside the exponential advancements being seen in technology which can heighten cyber risk there is also an increasing threat to legacy systems, particularly in areas such as critical infrastructure, according to experts.
It is expected that cyber attacks against critical infrastructure, power grids and energy infrastructure, telecommunications, transportation and other key industries which if attacked could result in significant physical damage and the potential for wide-reaching business interruption.
Kaspersky Lab founder and CEO, Eugene Kaspersky explained at a conference in Australia yesterday that cyber threats are moving from the broad targeting of software, as seen in the recent WannaCry ransomware attacks, to a much more targeted attack vector where specific critical infrastructure could be at risk.
Kaspersky highlighted the fact that legacy software architecture embedded in control systems and the like across critical systems and infrastructure could provide hackers and criminals with ways to cause significant damage and financial losses through a much more narrowly focused approach.
In particular, the type of legacy supervisory control and data acquisition (SCADA) systems, which feature in many critical infrastructure installations and industries such as the oil drilling sector, could be targeted. These legacy software systems often have little in the way of in-built cyber protection, can have IP addresses which leave them open to the wider internet and are very difficult and costly to patch or modify.
Kaspersky said that these SCADA attacks have already been seen, including one where an oil refinery was attacked, but Kaspersky sees attacks against the power sector as perhaps having the greatest potential impact and perhaps financial cost as well.
Cyber attacks against transportation systems and telecommunications have the next greatest potential to cause widespread impacts, according to Kaspersky.
For the insurance and reinsurance industry the potential for cross-class exposures to emerge due to cyber attacks on critical infrastructure and control systems is a significant threat.
With cyber coverage underwriting growing across the globe the threat of major losses increases, but it is where a cyber loss spreads to trigger other types of coverage, such as property and liability policies, that the potential for the greatest insurance and reinsurance industry exposure may lie.
Imagine a cyber attack on an oil refinery or installation that caused a significant spill. Or a cyber attack on the power grid that caused surges of energy resulting in widespread fire damage. Scenarios such as a telecommunications shutdown for a city, region or country could result in enormous business interruption losses as well.
The insurance and reinsurance industry could be on the hook for significant losses from some of these events, with impacts to portfolios of risk across multiple classes of business possible the hit to specific companies could be significant as well.
These are truly the kind of events that would be classes as cyber catastrophes, alongside the more commonly considered data breaches, ransomware and other self-propagating cyber attacks.
As the cyber threat grows and becomes increasingly sophisticated and targeted, the threat of major re/insurance industry losses will increase as well, raising the need for reinsurance companies and perhaps the capital markets to act as capacity providers to cover such risks.
Of course it also means re/insurers need an increasingly cyber focused approach to managing their portfolios of risk, as even if they don’t underwrite direct cyber risk policies they could still be exposed to a significant and targeted cyber attack.
As the cyber threat vector changes, a new approach to cyber risks will be required in the insurance and reinsurance market.