Cyber Vandals
Q&A with Mike Andler, Executive Vice President, U.S. Property Leader; and Bill Boeck, Global Cyber Product & Claims Leader, Lockton
Q
What are the key cyber threats you’re seeing going into 2022?
A
Boeck: We are going to continue to see ransomware as the main cyber threat. That isn’t to say there won’t be what some may think of as more typical cyber threats such as data breaches and things like denial-of-service attacks. Those attacks will certainly continue.
People need to be aware of all cyber threats because you can’t dismiss any of them. Just because ransomware is top of mind for most companies, that doesn’t mean that cyber threats such as data breaches, malware attacks, even things like business email compromise aren’t going to continue—they will. Companies need to be aware of those and protect themselves. If they aren’t hit by ransomware, they could be hit by any of the others, and those threats can do significant damage.
Cyber threats involving property damage have been there since the Stuxnet malware was launched and have existed in one form or another ever since. There have not been large headline-grabbing events that have focused attention on it; the events are nevertheless continuing.
A cyber event can be as simple as somebody shutting off the air conditioning to a data center and a lot of expensive computer equipment is damaged or destroyed. But it can be as catastrophic as an attack on a gas or oil pipeline that causes environmental damage, explosions or things of that nature. Or it could simply slow down delivery. That will, in and of itself, damage a pipeline operator.
Q
Where do cyber and property intersect?
A
Andler: A cyber proximate cause of loss that results in physical damage is where the bridge between cyber and property comes together. That’s not an emerging threat. That’s just a threat, period, from any possible cyber attack that is focused on causing property damage. That is a risk. The threat is probably just getting more frequent. The attacks are emanating from state causes as well. I would say there is an increase in severity and also an increase in frequency. The challenge is that, when it comes to the protection of property, the client base needs to be vigilant about potential vulnerabilities.
Q
Is the threat predominantly from state actors, terrorist groups, or cyber criminals?
A
Boeck: What I see reported with respect to property damage seems to be well-financed threat actors affiliated with a state.
Q
What are some examples of property damage from a cyber attack?
A
Andler: Someone causes a cyber entry into a facility and drives the cooling pumps for a boiler to shut off, causing the boiler to over-pressure and explode. You can picture that for a cooling jacket for some sort of vessel that needs to be cooled down, whether it be a steel mill or some sort of chemical process. Someone hacks into an electronic thermostat, call it your Nest, in a building and causes the temperature in the freezer to go up and all the food goods inside the freezer to spoil.
Q
How does the growing automation of manufacturing, industrial processes and utilities create vulnerabilities?
A
Boeck: With the Industry 4.0 initiative (integrating technology and automation into industry) and manufacturers, in particular, becoming much more mechanized and much more computerized, the risk is that either some type of cyber event temporarily or permanently disables the machinery or it actually destroys the machinery or the products that machinery is making. Someone could, for example, change a setting on a machine making a part, causing the parts to be manufactured defectively. That would make those parts useless.
Q
What sectors are vulnerable to these kinds of attacks?
A
Andler: We would consider industrial classes to be more vulnerable than pure soft occupancy classes because they have rotating equipment and operating equipment that is more subject to some of the operational technology exposures. As more and more operational technology risks become connected to the information path, then their exposures increase. They run the likelihood of someone being able to connect to that and cause some sort of physical damage.
Q
Is the property damage threat under-recognized?
A
Andler: It’s kind of a low-frequency, high-severity situation. But connecting all the dots, as more manufacturing risks become connected—information technology and operational technology coming together—as that vulnerability continues to increase for clients and the threat continues to increase, the frequency of loss will continue to increase.
Q
What’s the silent cyber risk in property?
A
Andler: The inherent silent nature of property is the way that the property insurance market has been trying to deal with the emerging risk of a physical damage loss emanating from a cyber proximate cause. The collective group of insurance companies that we do business with, they all handle it in a different way.
Usually, the property market is trying to address how it handles issues around cyber with exclusions, and all those exclusions are done in different ways by different carriers. It’s not easy to compare the coverage you would get from cyber if you had policies from two different carriers. We view the fact that you never really know what you have as being a silent cover.
Q
With ransomware, the motivation seems to be money, but what is the motivation behind cyber attacks seeking to cause physical damage?
A
Boeck: Malice. It could be a hacker simply being indifferent to the damage that could be caused but wanting to see if they could do it. There obviously can be political motivations depending on who the threat actor is.
Q
What is the cyber market lacking in terms of coverage, and how do cyber products need to evolve to meet those risks?
A
Andler: A lot of the cyber insurance market developed out of the executive risk classes of business. There was an effort to kind of consolidate all the perils—property, casualty and financial lines—into one product, a cyber policy that includes everything. The property market was generally making a push to move all that into cyber. Now there is a recognition that maybe the property piece isn’t addressed adequately. This is why we wanted to create a product that clearly identifies to clients the gap that was being created by the market and solve the problem with a product that includes property damage and business interruption.
Q
Does the current supply chain crisis heighten the business interruption risk?
A
Boeck: Yes, without a doubt. The auto industry is a great example. Automobile manufacturers rely on parts produced around the world. The absence of key parts such as semiconductor chips in 2021 could lead to plants being idled. If a chip manufacturer is hit with a cyber attack that affects its ability to supply chips to auto companies, those companies will face potentially significant losses.
Q
Are there other risks that may be overlooked?
A
Boeck: One of the things that goes hand in hand with property damage resulting from a cyber event is the potential for the event to hurt people. If there is bodily injury, how is that going to be covered? Bodily injury coverage is excluded under cyber policies. With the industry moving away from silent cyber coverage, most insurers are declining to cover bodily injury resulting from a cyber event under general liability and other non-cyber policies. That requires companies to go out and find that coverage, which is possible to do, but it’s not easy. There is a lot of work involved on the underwriting end, and as with everything else in the cyber insurance world right now, it will be expensive.
