CyberCube recently took part in the Intelligent Insurer webinar “Address Business Interruption in a Hyper-Connected World,” which focused on how an increase in interconnectivity through the Internet of Things (IoT) impacts vulnerabilities to cyber and cyber-physical attacks. I was grateful to participate in the panel alongside Siobhan O’Brien (Guy Carpenter), Kirsten Mitchell-Wallace (Lloyd's), and Monica Tigleanu (Marsh). A notable first for many of us was this being an all-female panel, with Wyn Jenkins (Intelligent Insurer) moderating our discussion!
The implementation of widespread 5G will allow greater speed and connectivity not just for individuals but for large entities, cities, manufacturing sites, etc. leveraging IoT devices. For example, 5G will assist in making smart cities more obtainable, integrated, and efficient in terms of building management, transportation, and electric grid devices. However, these connections are also additional entry points for cyber attackers. A particular concern would be a denial of service (DoS) attack, which could cause Internet traffic to halt between the interconnections or impact the ability of devices to process requests, thus leaving devices useless.
A recurring topic in our panel discussion was the compounded risk of cyber-physical attacks - meaning a cyber attack is used by a means in which to cause physical damages – particularly as it relates to Industrial Control Systems (ICS) and critical infrastructure in general. There is historical precedence for events that would not only cause business interruption and outages due to a cyber attack, but also physical damages or disruptions due to safety concerns.
The concerns of physical damage plus widespread outages caused by a cyber attack to critical infrastructure such as water, energy, and transportation sectors have long been a concern. CyberCube, Guy Carpenter, and Lloyd’s recently issued a report specifically looking into physical cyber in relation to industrial control sectors.
The recent fire at one of OVHCloud’s data centers in France offers additional insights into how we think about the aggregated impacts of potential cyber-enabled physical attack scenarios, beyond traditional critical infrastructure. The fire (although not thought to have been caused by malicious actors) is an example of how a targeted cyber-enabled physical attack could not only disrupt private entities and government agencies’ ability to operate effectively, but can also cause longer disruptions and costly repairs due to the physical damages to servers or data centers. Events where there can be a two-fold impact of physical damages plus long-lasting disruptions due to a cyber event offer an interesting layer of complexity for how we think about cyber risks.
The connection between property risks and cyber risks is a quickly evolving topic and requires novel thinking from the insurance industry in order to address it. Our panel discussed the difficulties around non-traditional silent cyber risks and physical damages caused by cyber events not being clearly understood, thus creating confusion for policyholders to determine if existing property policies will pay for incidents caused by cyber. Clients need more information about what they can do to prepare for these potential large widespread catastrophic outages (whether it be an outage on the electric grid or Internet infrastructure), and what kind of exposure risk and therefore coverage they need.
Our panel concluded with forward-looking sights, highlighting the exciting nature of the field we work in: Cybersecurity is an imperfect science due to its ever-evolving nature, but as the cyber insurance market grows, policies must be resilient, sustainable, and evolving. The cyber (re)insurance industries have an important role to play here, but data and analytics from companies like CyberCube will help pave the way for the industry to make better informed decisions. With cyber risks, we are constantly learning, and in the end the work we do now will utilize not just industry growth, but also allow for businesses and society to understand better the risks they are taking.