2222222222

Property Risk

Is Your Plant Ready for a Cyber Attack that Causes Physical Damage?

Underwriters and risk managers are beginning to get their arms around the next wave of cyber exposure — an attack that causes property or bodily damage.
By: | July 27, 2017 • 7 min read

When the Baku-Tbilisi-Ceyhan pipeline exploded in 2008 in eastern Turkey, it damaged the pipeline in Refahiye, spewed oil into the environment and posed physical harm to firefighters called in to quell the flames.

Cyber attackers apparently hacked into the pipeline’s control system and manipulated valves to increase pressure inside the pipe, while suppressing alarms that would have alerted operators to an error.

Advertisement




In 2014, an unnamed steel mill in Germany sustained extensive damage after hackers breached the plant’s computer network via a spear phishing email, then infiltrated industrial systems that control operational machinery.  The attack compromised the system so that a blast furnace could not be shut down.

In another well-known incident the year before, the Stuxnet computer virus engineered by U.S. and Israeli forces damaged thousands of centrifuges at an Iranian nuclear power plant, again compromising system controls while making it appear everything was working normally. The virus was introduced through an employee’s thumb drive.

These are only a few examples of cyberattacks that caused physical property damage and potential bodily injury.

“The breaches and cyberattacks we see in the news are usually around the theft of personally identifiable information,” said Tracie Grella, global head of cyber risk insurance at AIG.

“We’ve seen ransomware events, DOS attacks. The data disclosure and business downtime are usually the results of a network breach. But the potential for extensive physical damage is an emerging risk.”

As cyber risk rapidly evolves, the insurance industry is working hard to keep up. However, gray areas remain and there are unanswered questions about how to underwrite and mitigate such a dynamic risk.

Loss Scenarios

“Five to 10 years ago, cyberattacks were motivated primarily by financial gain and access to confidential data,” said Chris O’Byrne, cyber underwriting specialist at FM Global. “This has evolved into more attacks focused on causing business disruption, and others where the goal is physical damage.”

Tracie Grella, global head of cyber risk insurance, AIG

Though every type and size of company is susceptible to a cyberattack, those with industrial-control systems (ICS), such as manufacturers and energy suppliers, may be most vulnerable to an attack intended to cause physical damage. Industrial-control systems are comprised of many components relying on communication between separate computer networks. The less cohesive a system is, the more opportunities arise for hackers to find a way in.

“We’re seeing more reports of malware being written specifically to target these systems,” O’Byrne said.

“Companies first think to look at their GL or property policies for coverage … but these policies really were not designed to respond to cyberattacks.” — Tracie Grella, global head of cyber risk insurance, AIG

“The intent may not be to expressly cause physical damage, but that could certainly be a result.”

The physical damage that could result from an attack on ICS varies. It could be a fire that destroys equipment or a whole facility; it could be the simple wearing down and corrosion of machinery; it could involve environmental damage, or damage to any goods being produced.

“Hackers can spoof sensors by sending false data. They can force cyclical behaviors, like turning something on and off in rapid cycles, which causes machinery to wear out, fuses to be blown, leaking, and in some cases explosion and fire,” said Tom Harvey, product manager of cyber solutions at RMS, the risk modeling firm.

“It could be something as simple as disconnecting safety features,” he said. “Everything would be operating as it should, but there’s the increased risk for bodily injury.”

Spoofing sensors also can cause damaged goods, without harming any machinery or equipment. In a refrigerated truck, for example, hackers would feed sensors false data so they continually record a temperature of 0 degrees, even if it’s 70 inside the truck. An entire shipment of frozen goods would be ruined by the time it reaches its destination.

“It’s not that the refrigeration equipment was broken; it’s that the sensors were fed the wrong information, and no one had any indication that it was false,” said Robert Parisi, cyber product leader at Marsh. “These losses will not fall into the simple buckets in which the insurance community likes to put things.”

The scope of potential losses leaves risk managers wondering what insurance policy, if any, will cover the damage.

Looking for Cover

“The question in insurance becomes: where is that covered?” Grella said.

Advertisement




The industry has no uniform way to address these losses. Cyber coverage typically excludes physical loss. Property or general liability policies likely cover property damage, even if the underlying trigger was a cyber event. Companies also might find coverage in crime or fidelity policies, if the breach was perpetrated by an employee.

“Companies first think to look at their GL or property policies for coverage, and they may find it there, but these policies really were not designed to respond to cyberattacks,” Grella said.

“Finding silent coverage is not really where insurers or insureds want to be. Clients want to know what they’re buying and what’s covered, and carriers want to know exactly what they’re covering.”

Coverage for cyber-triggered physical losses could extend in two directions. Carriers could begin offering affirmative coverage for cyber events in property policies, or cyber policies could expand to include property damage and bodily injury, not just loss of data, business interruption and other non-physical losses.

Tom Harvey, product manager of cyber solutions, RMS

“Market conditions will dictate that evolution to some degree,” Harvey of RMS said. “At the moment, the property market is very soft, which drives underwriters to try to win more business, which means they’ll be more generous with their cyber coverages. On the other hand, regulators want to ensure underwriting is done properly, with adequate controls in place, which could push property underwriters to move away from cyber endorsements.”

Property and cyber underwriters need to work together to ensure they are managing the risk appropriately. Marsh’s Parisi said some cyber insurers have offered to cover physical loss only if the insured’s property policy does not respond. This shows the industry is recognizing the widening coverage gaps.

“Cyber policies expanding to take in this exposure is the cleanest way to do it,” he said. “We are seeing greater flexibility on the part of the cyber market to adapt to changing loss scenarios that don’t have actuarial data behind them or underwriting standards.”

AIG, Marsh and FM Global are among insurers and brokers offering expanded cyber products designed to affirmatively cover physical harm.

“We’re starting to get more inquiries about our coverage and how it intersects with other cyber policies,” FM Global’s O’Byrne said. “What clients really want is contract certainty.”

Risk Mitigation

RMS has spent the past year modeling the severity of physical losses triggered by a cyberattack, but nailing down the frequency remains a challenge.

“We have developed models to confidently help insurers assess what the severity of cyber-physical events might be,” Harvey said. “RMS are continuing to explore methods of assessing the probability of these rare events as we know both the frequency and severity are critical components of quantifying the risk.”

With cyber risks evolving and uncertainties in the type and scope of losses and coverage gaps, the best approach risk managers can take is to treat cyber like any other operational risk and apply enterprise risk management.

“The best companies approach cyber risk the same way they do currency risk, or political unrest, or weather risk — like any other standard risk,” Parisi said. “Tech-based risks are really no different that any other risk and you need to manage them through the normal risk management channels. Make sure that technology risk is part of the ERM discussion.”

“If you are targeted by a sophisticated group of hackers, they will find a way in. You have to make sure you’re properly covered.” —Tom Harvey, product manager, cyber solutions, RMS

Cross-functional teams including risk management, IT, operations and security should work with senior executives to assess the scope of cyber risk and develop a multi-pronged strategy, O’Byrne said.

Advertisement




“Buying the newest, shiniest piece of technology won’t necessarily solve your exposure. Assuming that the IT guys will somehow fix it ignores the fact that technology has crept into everything that we do. It’s an active risk to be managed, not a problem to be solved,” he said.

Patching cyber vulnerabilities in industrial-control systems, and separating critical control systems from business networks and other non-critical functions can make it harder for hackers to access machinery and production controls.

Risk managers also should conduct gap analyses to determine if and where they have coverage for physical damage from a cyberattack.

“Your broker or a third-party vendor can provide this service,” Grella of AIG said. “You want to make sure you have a primary policy that provides coverage for physical damage from cyber on an affirmative basis.”

Given the near impossibility of gauging and defending against all cyber exposures as the risk takes on new forms, closing coverage gaps will be the most critical risk management technique.

“If you are targeted by a sophisticated group of hackers, they will find a way in,” Harvey said. “You have to make sure you’re properly covered.” &

Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Management

The Profession

The risk manager for Boyd Gaming Corp. says curiosity keeps him engaged, and continual education will be the key to managing emerging risks.
By: | May 1, 2018 • 4 min read

R&I: What was your first job?

I was trained as an accountant, worked in public accounting and became a CPA. Being comfortable with numbers is helpful in my current role, and obviously, the language of business is financial statements, so it helps.

R&I: How did you come to work in risk management?

Working in finance in the corporate environment included the review of budgets and the analysis of business expenses. I quickly found the area of benefits and insurance — and how “accepting risk” impacted those expenses — to be fascinating. I asked a lot of questions. Be careful what you ask for — I soon found myself responsible for those insurance areas and haven’t looked back!

R&I: What is the risk management community doing right?

Advertisement




I have found the risk management community to be a close-knit group, whether that’s industry professionals, risk managers with other companies or support organizations like RIMS and other regional groups. The expertise of the carriers and specialty vendors to develop new products and programs, along with the appropriate education, will continue to be of key importance to companies going forward.

R&I: What’s been the biggest change in the risk management and insurance industry since you’ve been in it?

As I’m sure many in the insurance field would agree, Hurricanes Katrina and Rita in 2005 changed our world and our industry. It was a particularly intense time and certainly a baptism by fire for people like me who were relatively new to the industry. This event clearly accelerated the switch to the acceptance of more risk, which impacted mitigation strategies and programs.

Bob Berglund, vice president, benefits and insurance, Boyd Gaming Corp.

R&I: What emerging commercial risk most concerns you?

The fast-paced threat that cyber security represents today. Our company, like so many companies, is reliant upon computers, software and IT expertise in our everyday existence. This new risk has forged an even stronger relationship between risk management and our IT department as we work together to address this growing threat.

Additionally, the shooting event in Las Vegas in 2017 will have an enduring impact on firms that host large gatherings and arena-style events all over the world, and our company is no exception.

R&I: What insurance carrier do you have the highest opinion of?

Advertisement




With the various types of insurance programs we employ, I have been fortunate to work with most of the large national and international carriers — all of whom employ talented people with a vast array of resources.

R&I:  How much business do you do direct versus going through a broker?

We use brokers for many of our professional coverages, such as property, casualty, D&O and cyber. We are self-insured under our health plans, with close to 25,000 members. We tend to manage those programs internally and utilize direct relationships with carriers and specialty vendors to tailor a plan that works best for team members.

R&I: Who is your mentor and why?

I have been fortunate to have worked alongside some smart and insightful people during my career. A key piece of advice, said in many different ways, has served me well. Simply stated: “Seek to understand before being understood.”

What this has meant to me is try everything you can to learn about something, new or old. After you have gained this knowledge, you can begin to access and maybe suggest changes or adjustments. Being curious has always been a personal enjoyment for me in business, and I have found people are more than willing to lend a hand, offer information and advice — you just need to ask. Building those alliances and foundations of knowledge on a subject matter makes tackling the future more exciting and fruitful.

R&I: What have you accomplished that you are proudest of?

Our benefit health plan is much more than handing out an insurance card at the beginning of the year. We encourage our team members and their families to learn about their personal health, get engaged in a variety of health and wellness programs and try to live life in the healthiest possible way. The result of that is literally hundreds of testimonials from our members every year on how they have lost weight, changed their lifestyle and gotten off medications. It is extremely rewarding and is a testament to [our] close-knit corporate culture.

R&I: What’s the best restaurant you’ve ever eaten at?

Advertisement




Some will remember the volcano eruption in Iceland in spring of 2010. I was just finishing a week of meetings in London with Lloyd’s syndicates related to our property insurance placement when the airspace in England and most of northern Europe was shut down — no airplanes in or out! Flights were ultimately canceled for the following five days. Therefore, with a few other stranded visitors like myself, we experimented and tried out new restaurants every day until we could leave. It was a very interesting time!

R&I: What is the riskiest activity you ever engaged in?

I am originally from Canada, and I played ice hockey from the time I was four years old up until quite recently. Too many surgeries sadly forced my recent retirement.

R&I: What do your friends and family think you do?

That’s a funny one … I am a CPA working in the casino industry, doing insurance and risk management, so neighbors and acquaintances think I either do tax returns or they think I’m a blackjack dealer at the casino!




Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]