New "Cyber-Physical" Risk Modeling for Property Insurers

According to modeling and analytics firm RMS, the risk of insurance losses through physical damage to property increases as hackers target control systems linked to the Internet. The firm has responded with a new class of "cyber-physical" risk models that explore a range of cyber-attack scenarios that can lead to physical property damage.

Multiple lines of business may be affected by cyber attacks, posing a systemic threat across insurance portfolios. Cyber risk is no longer confined to specialist writers of affirmative cyber insurance. It is now a peril that can cause losses in traditional property insurance policies that may be ambiguous or silent surrounding cyber-triggered loss payouts.

"In the past two years, we have seen attacks that have damaged industrial plants, shut down building control systems, and caused power grid failures—all achieved by hackers targeting control systems that are linked to the [I]nternet," said Dr. Andrew Coburn, RMS senior vice president of emerging risks. "Insurers have begun to understand the risk of cyber-attacks on IT systems, for example financial theft, data extraction, and cyber-extortion. With the rise of the Internet of Things, more devices are connected to computer networks … [with] new vulnerabilities for hackers to exploit. They can target operational technology, and thus the essential fabric of any business—even its bricks and mortar."

To allow insurers to identify silent exposures, RMS has analyzed the lines of business thought to be most vulnerable to cyber-physical attacks, such as commercial property, marine, energy, industrial, and facultative facilities. The five new risk scenarios in the RMS Cyber Accumulation Management System allow insurers to identify silent exposures in these and other lines. The following scenarios are based on detailed technical analysis of vulnerabilities, possible attack vectors, and potential insurance payouts.

• Cyber-induced fires in commercial office buildings—hackers can gain access to Internet-connected office equipment, such as laptops, manipulating them to overheat and start fires. If the offices are unmanned, this could lead to the destruction of entire premises as well as the facilities and systems they house. 
• Triggered fire in industrial processing plants—heat-sensitive devices, such as thermostats, can be sabotaged to ignite flammable products in storage.
• Triggered explosions on oil rigs—a network operations center controlling an entire field of oil rigs could be targeted to cause structural misalignment of well heads, leading to the explosion of multiple oil rigs.
• Cyber-enabled marine cargo theft from a port—port management systems are highly computerized and so valuable cargo can be stolen as a result of cyber attacks, for example, through the use of malware to disrupt operating systems or to access sensitive cargo data.
• Regional power grid outages—the control systems of power-generating companies could be attacked, allowing criminals to damage generators. This could cause a cascading regional power outage with huge losses to insured customers as well as the power supplier.