Hypothetical Scenarios of Cybersecurity Catastrophes Might Aid Insurance Companies

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim  

May 22 — Assessing the risks of hypothetical cybersecurity catastrophes might help insurers determine what assets of a company are at risk, Andrew Coburn, director of the External Advisory Board of the University of Cambridge's Centre for Risk Studies, said May 21.

Coburn, who is vice president of catastrophe research at Risk Management Solutions, a provider of catastrophe risk models to the insurance industry, was speaking at the Cyber Risks and Opportunities conference held in London. The event was organized by the Association of British Insurers and Sidley Austin LLP.

At a separate session, Sarah Stephens, head of cyber risk for Europe, Middle East and Africa at insurance broker Aon PLC, said companies may not be able to get coverage under traditional policies.

Worst-Case Scenario

A systemic cyberattack could cause nearly as much damage to the global economy as the systemic banking collapse did in 2007, Coburn said.

Based on a worst-case scenario, a series of unexplained information technology failures on “systemically important technology enterprises” (SITEs), such as Oracle Corp., International Business Machines Corp., Microsoft Corp., SAP AG/Sybase and Teradata Corp., could lead to a loss of $15 trillion in gross domestic output over five years, on a similar scale to the $18 trillion lost during the recent financial crisis, Coburn said.

SITEs are comparable to the “systemically important financial institutions” (SIFIs) that triggered the 2007 financial crisis because SITEs and their products are, like the SIFIs, deeply embedded in the operations of the world's biggest companies, he said.

Catastrophe Scenarios to Help Insurers

“This isn't a prediction of the future, it's based on a stress test scenario,” Coburn said, referring to how the Centre for Risk Studies models hypothetical chains of events using many different categories of threats, including cyberattacks.

The Centre for Risk Studies explored the issues of insurance risk from cyberattacks by devising a “what if scenario,” involving a fictional leading database software company used by major global corporations whose flagship database product is hacked by a disgruntled employee, Coburn said.

The resulting algorithmic errors caused major write-down, trading losses, lawsuits and physical damage to the fictional company, triggering a generalized distrust of computerized systems and widespread losses across the corporate world.

By developing a “Framework for Cyber Catastrophe Risk Assessment,” Coburn said the Centre for Risk Studies is trying to help insurers estimate how much of a company's revenues might be at risk if software tools on which it relies are compromised.

The framework is also designed to help business sectors and individual companies to assess their potential exposure to systemic cybersecurity risk, he said.

The Centre for Risk Studies is planning to release a full “Cyber Scenario Report” covering the context and methodology of its cybersecurity catastrophe stress test scenario in June.

Risks Rising, Coverage Insufficient

While cases of cybersecurity risks are growing significantly, many businesses are finding that the available coverage for these exposures under traditional policies is insufficient, Stephens said at a separate session.

For instance, general liability, material damage and property policies that were designed to respond to natural disasters that damage physical assets haven't been updated to cover malware attacks that cause damage, but not necessarily to “tangible property,” she said.

In the case of crime policies, coverage requires evidence of intent or actual theft of money, securities or tangible property, which is difficult to apply to cybersecurity risks because they are largely nonphysical and in many cases, caused by human error, not deliberate action, Stephens said.

Closing Coverage Gaps

To help close coverage gaps in standard policies, Stephens said that insurers have started to widen the scope of cybersecurity insurance coverage, including liability sections covering defenses costs, damages, regulator fines and expenses paid to vendors.

However, she stressed there is still room for insurers to develop additional policies, particularly to compensate for losses caused to organizations through an information technology failure or a cyberattack on their core business, she said.

Health-care services adopted cybersecurity insurance coverage at the fastest rate in 2013 in Europe, the Middle East and Africa, with 10.2 percent of the sector purchasing coverage, up from 5.9 percent in 2012, Stephens said.

To contact the reporter on this story: Ali Qassim in London at correspondents@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com

Request Bloomberg Law Privacy and Data Security