Lloyd's Report Warns of Cyber-Attack Risk to Critical Infrastructure

The threat of physical damages resulting from cyber attacks is growing as the number of attacks targeting critical infrastructure increases, according to a new report from Lloyd's of London.

The Lloyd's report, "Shifting powers: physical cyber risk in a changing political landscape," notes that in recent years malware and ransomware attacks have caused severe disruption for global businesses and their supply chains. At the same time, the increase in those attacks has raised the level of scrutiny of businesses' cyber-risk mitigation strategies and insurance coverages.

"Thankfully, the world is yet to experience a truly catastrophic cyber physical attack," the Lloyd's report said. "But the potential impacts of such an attack could be significant, crippling entire systems and societies."

The report noted that physical cyber attacks have been growing in recent years, with attacks targeting critical infrastructure increasing from 10 in 2013 to almost 400 in 2020. The complexity of the attacks is also evolving, Lloyd's said, from attacks focused simply on short-term disruptions to attacks aimed at compromising assets or processes with the intent of causing physical harm or loss of life.

"In this context: an effective cyber-security strategy is paramount. With a risk as complex as cyber–encompassing a huge range of possibilities and uncertainties–one useful tool for risk managers can be scenario planning," Lloyd's said.

According to the report, deliberately physically destructive cyber attacks are difficult to accomplish, requiring specialized hackers and detailed strategic planning. "The capacity to carry out such attacks currently predominantly sits within nation states and the groups which they support, which means that right now cyber physical risk is closely related to geopolitical risk," Lloyd's said.

It's possible, however, that at some point the capacity to engage in cyber physical hacking could be made available for purchase, giving non-state actors access to powerful tools for carrying out cyber physical attacks, the report said.

For businesses, there are both the risks of disruptive attacks on physical infrastructure that have direct impacts on their operations, as well as such attacks that might affect critical suppliers, according to Lloyd's.

"Industrial and highly mechanized environments, including national infrastructure systems, building control managers, energy management systems, traffic grids, and other utilities which aid in business continuity and national safety are all highly vulnerable to cyber attack," the report said.

According to the Lloyd's report, cyber insurance remains a relatively immature though still-growing market in most industrialized countries. The coverage provided in most cyber-insurance policies focuses on non-physical damage and disruption, Lloyd's said, with most cyber policies specifically excluding physical damage and related business interruption stemming from digital interference.

In recent years, however, some cyber insurers have developed specialty or "enhanced" coverages for physical damage resulting from cyber triggers, which are marketed directly to technology or manufacturing firms. Those coverages have strict limits and apply only to first parties, Lloyd's said, with no provisions for contingent business interruption.