Physical cyber attack risk exposes gap in coverage
Physically destructive cyber terrorism is a “real gap” in current insurance coverage, according to the head of Australia’s Reinsurance Pool Corporation (ARPC).
Speaking in Sydney last week at the Cyber Risk Seminar hosted by Finity and the Australian and New Zealand Institute of Insurance and Finance, ARPC CEO Chris Wallace said the risk of catastrophic physical property and infrastructure has increased as the physical world and cyberspace become more interconnected.
“Yet cyber terrorism is not covered by Australia’s terrorism insurance scheme because it is defined as a computer crime, which is excluded by the Terrorism Insurance Act 2003.”
Dr Wallace told insuranceNEWS.com.au the ARPC wants to highlight the existence of the gap so the market will develop policies to cover it.
“There have been some physically destructive attacks around the world,” he said.
“There are not many of these attacks, and we’re not saying terrorists have the capabilities, just that there is a gap in the cover that is available in the market.”
Dr Wallace gave the example of a German steel mill’s electronic control system that was hacked into in 2014, causing “massive damage” to the blast furnace.
According to the German Federal Office for Information Security (BSI) the attackers accessed emails to steal logins, giving them access to the electronic control system.
And in 2008 Russian hackers shut down alarms, cut off communications and super-pressurised a Turkish crude oil pipeline, causing it to explode and causing a major fire.
Finity Consulting Principal Stephen Lee also acknowledged the potential physical damage from cyber attacks.
“The cyber attacks carried out in the US against Sony in November 2014 and Target in December 2013 generated a great deal of global media coverage, as have other attacks since then,” he said.
“But in our increasingly connected world, a cyber attack can also mean disruption to utilities or cause malicious damage to property. With the ever-present risk of terrorism in today’s environment, this is a risk that businesses cannot afford to ignore.”
Mr Lee says getting board level involvement in cyber risk management is critical.
“Recognising the risks both to data, business interruption and physical assets is an important first step to tackling the problem,” Mr Lee said.
“Insurers have a key role in helping the business community and the wider economy to manage this risk.”
Dr Wallace says he expects the market to quickly develop appropriate cover over the next few years.