If nothing else, the recent enforced and extended shutdown of the mainline operations of Colonial Pipeline, a key East Coast US oil products pipeline, has highlighted, yet again, that cyber risk is a very real and growing threat, and can have significant direct and indirect impacts if an attack is carefully targeted.
The vulnerability of utilities and infrastructure to cyberattacks has been flagged as an issue for a long time; and was amply demonstrated by a now infamous attack on the Ukraine’s power grid during the winter of 2015, generally attributed to those acting in concert with or at the behest of the Russian government and/or security services. Reportedly, the US and the Russian governments have also deliberately penetrated each other’s electricity grids and installed what one might term “latent” capabilities. The cyberattack on US government departments and agencies in December 2020 (again allegedly involving Russian state-affiliated actors) simply reinforces that this is a continuing struggle- sometimes covert; sometimes, as with the Colonial Pipeline hack, very public
In the tech business realm, where subscription models and “X” as a Service are, quite rationally, all the rage, there is a continuous arms-race between the “black” and “white” hats- one which (re)insurers will be paying nervous attention to, not only in terms of protecting their own data-built and -dependent businesses, but more so in terms of the explicit or “silent” cyber exposures they may have within their policy portfolios. The increasing scale, sophistication and impact of more recent attacks should give pause to anyone who still thinks that the risks are predictable, and so manageable across a large, diversified portfolio. The reach of certain operating and software systems demonstrates that the classic “industry-” or geography-based approach to risk mitigation can prove seriously misguided.
Not only that, but there seems to be an ever-fatter left tail emerging in the risk profile for cyber covers, as hackers target ever larger enterprises, and have the potential to cause greater economic damage, or try to extract larger “ransoms”. As author Misha Glenny, quoting cybersecurity business Bitdefender, pointed out in a recent Financial Times article, registered (i.e., disclosed) ransomware attacks in 2020 were 485% higher than in 2019. Imagine if the rate or scale of “traditional” CAT events increased 5-fold: what would that do to your “standard” risk model? How does one price for a 5-fold increase in frequency within a single accident year, let alone magnitude?
And when “Dark Web” hackers actively advertise their services and aim to recruit “franchisees”, one knows that hacking-for-profit has moved from being a threat that lurked in the shadows, and rarely became public (if the victims were able to suppress disclosure), to a more “mainstream” activity, joining the catalogue of ways in which criminals can make money, or cause mayhem. Frankly, we would not be surprised if “recognized franchises” (think Mafia or Yakuza equivalent) start “offering protection” against being hacked or subject to ransom demands for those who pay a fee for that “service”. In fact, the approach probably already exists!
In this context, it now surely behooves those (re)insurers who write cyber covers (Awbury does not) to fundamentally re-think whether and how they can sufficiently segment their markets and covers to provide capacity and aggregations which they can control, at a price and specification that an Insured is willing to pay. Demand is surely rising (and the Colonial Pipeline hack is proof of the risks) and it will be interesting to see how capacity and pricing respond.
The Awbury Team
Awbury Insights 