Much is made these days of the risk of “cyber-attacks” on individuals, businesses and governments, with cyber insurance being one of the few growth areas in the (re)insurance industry. This is as it should be, because even the disclosed events (and the majority are likely not disclosed) show how damaging such attacks can be.
Of particular concern are systems and networks which provide essential services, such as power grids, or air traffic control systems. Yet there are also under-appreciated risks in industries in which there is clear competition, with no obvious monopoly characteristics; one example being the oil and gas business.
Earlier in the year Marsh published a Briefing entitled “Could Energy Industry Dynamics Be Creating an Impending Cyber Storm?”- a headline which should have been guaranteed to catch attention. Not surprisingly, the article highlighted the fact that 76% of executives surveyed believed that Business Interruption (BI) would be the most dangerous cyber loss scenario. Of course, one of the issues the (re)insurance market faces is how to categorize a particular event and which particular policy(ies) should answer- the so-called “hidden cyber” dilemma. Conversely, risk managers may find out that the coverage they thought they had is not there, or capped at much lower levels than expected. Causation and attribution may not always be self-evident in, say, the failure in a well-head pump.
That aside, a key issue that remains to be tested is the extent to which unexpected links and dependencies may show up as the result of a cyber-attack. One targeted at a particular O&G business may have a broad impact because of the fact that, for example, cost-cutting as a result of the 2014-2016 industry downturn has led to supply chains becoming more integrated, with fewer alternative suppliers and greater standardization. Might disruption that flowed from an attack on one oil major’s operations cascade through its supply chain and through that into the operations of other producers? At what point might the digital equivalents of firebreaks stem the attack? Do they even exist?
The benefits of closer and more extensive integration are significant, so it is highly unlikely that the threat of a cyber-attack will reverse that process. However, the ever-expanding “Internet of Things” (IoT) means that more and more components of a business’ critical infrastructure are inter-connected, such that the potential consequences of an effective cyber-attack also increase in magnitude.
Paradoxically, all this means that effective risk management may well need to re-consider the creation of redundancies in systems (compare how civil aircraft are designed) and supply chains in order not to suffer a catastrophic business failure- in essence “buying insurance” that the failure of one link or supplier can be contained, isolated and addressed. It is all very well seeking to be the most efficient and low-cost producer, but that should not come at the expense of potentially embedding the risk of ruin within the overall systems architecture.
Awbury does not write cyber-risk (and has no intention of doing so). However, one has to look beyond obvious first-order effects; and we believe that it is essential that we continue to study and learn more about the threats to otherwise robust and high-quality businesses, let alone to those with less capacity to withstand material disruption to their operations.
The Awbury Team