2222222222

Property Risk

Is Your Plant Ready for a Cyber Attack that Causes Physical Damage?

Underwriters and risk managers are beginning to get their arms around the next wave of cyber exposure — an attack that causes property or bodily damage.
By: | July 27, 2017 • 7 min read

When the Baku-Tbilisi-Ceyhan pipeline exploded in 2008 in eastern Turkey, it damaged the pipeline in Refahiye, spewed oil into the environment and posed physical harm to firefighters called in to quell the flames.

Cyber attackers apparently hacked into the pipeline’s control system and manipulated valves to increase pressure inside the pipe, while suppressing alarms that would have alerted operators to an error.

Advertisement




In 2014, an unnamed steel mill in Germany sustained extensive damage after hackers breached the plant’s computer network via a spear phishing email, then infiltrated industrial systems that control operational machinery.  The attack compromised the system so that a blast furnace could not be shut down.

In another well-known incident the year before, the Stuxnet computer virus engineered by U.S. and Israeli forces damaged thousands of centrifuges at an Iranian nuclear power plant, again compromising system controls while making it appear everything was working normally. The virus was introduced through an employee’s thumb drive.

These are only a few examples of cyberattacks that caused physical property damage and potential bodily injury.

“The breaches and cyberattacks we see in the news are usually around the theft of personally identifiable information,” said Tracie Grella, global head of cyber risk insurance at AIG.

“We’ve seen ransomware events, DOS attacks. The data disclosure and business downtime are usually the results of a network breach. But the potential for extensive physical damage is an emerging risk.”

As cyber risk rapidly evolves, the insurance industry is working hard to keep up. However, gray areas remain and there are unanswered questions about how to underwrite and mitigate such a dynamic risk.

Loss Scenarios

“Five to 10 years ago, cyberattacks were motivated primarily by financial gain and access to confidential data,” said Chris O’Byrne, cyber underwriting specialist at FM Global. “This has evolved into more attacks focused on causing business disruption, and others where the goal is physical damage.”

Tracie Grella, global head of cyber risk insurance, AIG

Though every type and size of company is susceptible to a cyberattack, those with industrial-control systems (ICS), such as manufacturers and energy suppliers, may be most vulnerable to an attack intended to cause physical damage. Industrial-control systems are comprised of many components relying on communication between separate computer networks. The less cohesive a system is, the more opportunities arise for hackers to find a way in.

“We’re seeing more reports of malware being written specifically to target these systems,” O’Byrne said.

“Companies first think to look at their GL or property policies for coverage … but these policies really were not designed to respond to cyberattacks.” — Tracie Grella, global head of cyber risk insurance, AIG

“The intent may not be to expressly cause physical damage, but that could certainly be a result.”

The physical damage that could result from an attack on ICS varies. It could be a fire that destroys equipment or a whole facility; it could be the simple wearing down and corrosion of machinery; it could involve environmental damage, or damage to any goods being produced.

“Hackers can spoof sensors by sending false data. They can force cyclical behaviors, like turning something on and off in rapid cycles, which causes machinery to wear out, fuses to be blown, leaking, and in some cases explosion and fire,” said Tom Harvey, product manager of cyber solutions at RMS, the risk modeling firm.

“It could be something as simple as disconnecting safety features,” he said. “Everything would be operating as it should, but there’s the increased risk for bodily injury.”

Spoofing sensors also can cause damaged goods, without harming any machinery or equipment. In a refrigerated truck, for example, hackers would feed sensors false data so they continually record a temperature of 0 degrees, even if it’s 70 inside the truck. An entire shipment of frozen goods would be ruined by the time it reaches its destination.

“It’s not that the refrigeration equipment was broken; it’s that the sensors were fed the wrong information, and no one had any indication that it was false,” said Robert Parisi, cyber product leader at Marsh. “These losses will not fall into the simple buckets in which the insurance community likes to put things.”

The scope of potential losses leaves risk managers wondering what insurance policy, if any, will cover the damage.

Looking for Cover

“The question in insurance becomes: where is that covered?” Grella said.

Advertisement




The industry has no uniform way to address these losses. Cyber coverage typically excludes physical loss. Property or general liability policies likely cover property damage, even if the underlying trigger was a cyber event. Companies also might find coverage in crime or fidelity policies, if the breach was perpetrated by an employee.

“Companies first think to look at their GL or property policies for coverage, and they may find it there, but these policies really were not designed to respond to cyberattacks,” Grella said.

“Finding silent coverage is not really where insurers or insureds want to be. Clients want to know what they’re buying and what’s covered, and carriers want to know exactly what they’re covering.”

Coverage for cyber-triggered physical losses could extend in two directions. Carriers could begin offering affirmative coverage for cyber events in property policies, or cyber policies could expand to include property damage and bodily injury, not just loss of data, business interruption and other non-physical losses.

Tom Harvey, product manager of cyber solutions, RMS

“Market conditions will dictate that evolution to some degree,” Harvey of RMS said. “At the moment, the property market is very soft, which drives underwriters to try to win more business, which means they’ll be more generous with their cyber coverages. On the other hand, regulators want to ensure underwriting is done properly, with adequate controls in place, which could push property underwriters to move away from cyber endorsements.”

Property and cyber underwriters need to work together to ensure they are managing the risk appropriately. Marsh’s Parisi said some cyber insurers have offered to cover physical loss only if the insured’s property policy does not respond. This shows the industry is recognizing the widening coverage gaps.

“Cyber policies expanding to take in this exposure is the cleanest way to do it,” he said. “We are seeing greater flexibility on the part of the cyber market to adapt to changing loss scenarios that don’t have actuarial data behind them or underwriting standards.”

AIG, Marsh and FM Global are among insurers and brokers offering expanded cyber products designed to affirmatively cover physical harm.

“We’re starting to get more inquiries about our coverage and how it intersects with other cyber policies,” FM Global’s O’Byrne said. “What clients really want is contract certainty.”

Risk Mitigation

RMS has spent the past year modeling the severity of physical losses triggered by a cyberattack, but nailing down the frequency remains a challenge.

“We have developed models to confidently help insurers assess what the severity of cyber-physical events might be,” Harvey said. “RMS are continuing to explore methods of assessing the probability of these rare events as we know both the frequency and severity are critical components of quantifying the risk.”

With cyber risks evolving and uncertainties in the type and scope of losses and coverage gaps, the best approach risk managers can take is to treat cyber like any other operational risk and apply enterprise risk management.

“The best companies approach cyber risk the same way they do currency risk, or political unrest, or weather risk — like any other standard risk,” Parisi said. “Tech-based risks are really no different that any other risk and you need to manage them through the normal risk management channels. Make sure that technology risk is part of the ERM discussion.”

“If you are targeted by a sophisticated group of hackers, they will find a way in. You have to make sure you’re properly covered.” —Tom Harvey, product manager, cyber solutions, RMS

Cross-functional teams including risk management, IT, operations and security should work with senior executives to assess the scope of cyber risk and develop a multi-pronged strategy, O’Byrne said.

Advertisement




“Buying the newest, shiniest piece of technology won’t necessarily solve your exposure. Assuming that the IT guys will somehow fix it ignores the fact that technology has crept into everything that we do. It’s an active risk to be managed, not a problem to be solved,” he said.

Patching cyber vulnerabilities in industrial-control systems, and separating critical control systems from business networks and other non-critical functions can make it harder for hackers to access machinery and production controls.

Risk managers also should conduct gap analyses to determine if and where they have coverage for physical damage from a cyberattack.

“Your broker or a third-party vendor can provide this service,” Grella of AIG said. “You want to make sure you have a primary policy that provides coverage for physical damage from cyber on an affirmative basis.”

Given the near impossibility of gauging and defending against all cyber exposures as the risk takes on new forms, closing coverage gaps will be the most critical risk management technique.

“If you are targeted by a sophisticated group of hackers, they will find a way in,” Harvey said. “You have to make sure you’re properly covered.” &

Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

The Profession

Curt Gross

This director of risk management sees cyber, IP and reputation risks as evolving threats, but more formal education may make emerging risk professionals better prepared.
By: | June 1, 2018 • 4 min read

R&I: What was your first job?

My first non-professional job was working at Burger King in high school. I learned some valuable life lessons there.

R&I: How did you come to work in risk management?

After taking some accounting classes in high school, I originally thought I wanted to be an accountant. After working on a few Widgets Inc. projects in college, I figured out that wasn’t what I really wanted to do. Risk management found me. The rest is history. Looking back, I am pleased with how things worked out.

R&I: What is the risk management community doing right?

Advertisement




I think we do a nice job on post graduate education. I think the ARM and CPCU designations give credibility to the profession. Plus, formal college risk management degrees are becoming more popular these days. I know The University of Akron just launched a new risk management bachelor’s program in the fall of 2017 within the business school.

R&I: What could the risk management community be doing a better job of?

I think we could do a better job with streamlining certificates of insurance or, better yet, evaluating if they are even necessary. It just seems to me that there is a significant amount of time and expense around generating certificates. There has to be a more efficient way.

R&I: What was the best location and year for the RIMS conference and why?

Selfishly, I prefer a destination with a direct flight when possible. RIMS does a nice job of selecting various locations throughout the country. It is a big job to successfully pull off a conference of that size.

Curt Gross, Director of Risk Management, Parker Hannifin Corp.

R&I: What’s been the biggest change in the risk management and insurance industry since you’ve been in it?

Definitely the change in nontraditional property & casualty exposures such as intellectual property and reputational risk. Those exposures existed way back when but in different ways. As computer networks become more and more connected and news travels at a more rapid pace, it just amplifies these types of exposures. Sometimes we have to think like the perpetrator, which can be difficult to do.

R&I: What emerging commercial risk most concerns you?

I hate to sound cliché — it’s quite the buzz these days — but I would have to say cyber. It’s such a complex risk involving nontraditional players and motives. Definitely a challenging exposure to get your arms around. Unfortunately, I don’t think we’ll really know the true exposure until there is more claim development.

R&I: What insurance carrier do you have the highest opinion of?

Advertisement




Our captive insurance company. I’ve been fortunate to work for several companies with a captive, each one with a different operating objective. I view a captive as an essential tool for a successful risk management program.

R&I: Who is your mentor and why?

I can’t point to just one. I have and continue to be lucky to work for really good managers throughout my career. Each one has taken the time and interest to develop me as a professional. I certainly haven’t arrived yet and welcome feedback to continue to try to be the best I can be every day.

R&I: What have you accomplished that you are proudest of?

I would like to think I have and continue to bring meaningful value to my company. However, I would have to say my family is my proudest accomplishment.

R&I: What is your favorite book or movie?

Favorite movie is definitely “Good Will Hunting.”

R&I: What’s the best restaurant you’ve ever eaten at?

Tough question to narrow down. If my wife ran a restaurant, it would be hers. We try to have dinner as a family as much as possible. If I had to pick one restaurant though, I would say Fire Food & Drink in Cleveland, Ohio. Chef Katz is a culinary genius.

R&I: What is the most unusual/interesting place you have ever visited?

The Grand Canyon. It is just so vast. A close second is Stonehenge.

R&I: What is the riskiest activity you ever engaged in?

Advertisement




A few, actually. Up until a few years ago, I owned a sport bike (motorcycle). Of course, I wore the proper gear, took a safety course and read a motorcycle safety book. Also, I have taken a few laps in a NASCAR [race car] around Daytona International Speedway at 180 mph. Most recently, trying to ride my daughter’s skateboard.

R&I: If the world has a modern hero, who is it and why?

The Dalai Lama. A world full of compassion, tolerance and patience and free of discrimination, racism and violence, while perhaps idealistic, sounds like a wonderful place to me.

R&I: What about this work do you find the most fulfilling or rewarding?

I really enjoy the company I work for and my role, because I get the opportunity to work with various functions. For example, while mostly finance, I get to interact with legal, human resources, employee health and safety, to name a few.

R&I: What do your friends and family think you do?

I asked my son. He said, “Risk management and insurance.” (He’s had the benefit of bring-your-kid-to-work day.)

Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]