Leading risk modeller RMS today announced the introduction of a new range of ‘cyber-physical’ models to help property re/insurers manage and understand the growing risk of cyber attack scenarios that could lead to physical damage to property.
The model’s focus is on attacks against I.T. (information technology systems) that are intended to inflict physical damage to property.
Dr. Andrew Coburn, RMS senior vice president, emerging risks, said; “In the past two years, we have seen attacks that have damaged industrial plants, shut down building control systems, and caused power grid failures – all achieved by hackers targeting control systems that are linked to the internet.”
RMS said this risk poses an urgent and systemic threat across re/insurance portfolios, as multiple business sectors are expected to be impacted, and property re/insurers haven’t yet caught up with policy and pricing updates.
The risk modeller admonished the industry to take a more holistic view on cyber risk, seeing it as a risk that corresponds with and impacts all other insured threats, not as an isolated and specialised risk; “It is now a peril that can cause losses in traditional property insurance policies which are either ambiguous or silent about whether they will pay out for cyber-triggered losses,” said RMS.
“Insurers have begun to understand the risk of cyber-attacks on information technology (I.T.) systems, for example financial theft, data extraction and cyber-extortion. But with the rise of the Internet of Things, more devices are connected to computer networks which opens up new vulnerabilities for hackers to exploit. They can target operational technology, and thus the essential fabric of any business – even its bricks and mortar,” Dr. Coburn added.
Commercial property, marine, energy, industrial and facultative facilities are sectors believed to be most vulnerable to cyber-physical attacks, but RMS said re/insurers needed help with identifying additional “silent” cyber-physical risk exposures as the risk emerges faster than the industry’s evolved.
RMS’s new Cyber Accumulation Management System identifies silent exposures through analysis of five new risk scenarios including cyber-induced fires in commercial office buildings and triggered fire in industrial processing plants – in both scenarios hackers manipulate laptops or heat-sensitive devices like thermostats into overheating and causing a fire.
The additional risk scenarios added to RMS’s arsenal involve regional power grid outages after an attack on control systems of power-generating companies; triggered explosions on oil rigs – as hackers manipulating network operations centre controls can result in structural misalignment of well heads; and cyber-enabled marine cargo theft from a port – port management systems are highly computerized and therefore highly vulnerable to malware disruption.
RMS said the new class of cyber-physical model’s scenarios are based on detailed technical analysis of vulnerabilities, possible attack vectors, and potential insurance payouts.