Login Register Subscribe
Current Issue

Lloyd's cyber study reveals insurers' aggregation risks

Reprints

A coordinated cyber attack on the U.S. power grid could cause large, but manageable, losses of about $21 billion for the insurance industry, according to a study published Wednesday that addresses the risks of aggregation.

An attack whereby hackers shut down parts of the grid, leaving 15 U.S. states and Washington without power, could cause economic losses of about $243 million — or as much as $1 trillion in the most extreme scenario — and impact a broad range of insurance coverages, according to the report, “Business Blackout: the insurance implications of a cyber attack on the U.S. power grid” produced by the Centre for Risk Studies at Cambridge University in conjunction with Lloyd's of London.

Such an attack, stemming from fires in power generators caused by a cyber attack, likely would impact about 32 lines of insurance, said Andrew Coburn, director of the advisory board of the Cambridge Centre for Risk Studies and senior vice president at catastrophe modeler Risk Management Solutions Inc. in London.

The main drivers of insurance losses would be the property damage at the generators themselves, business interruption losses from companies that lose power and contingent business interruption losses for companies that trade with those that lose power.

Other major areas of insured losses likely would include incident response costs, fines, liability, perishable contents, household contents and event cancellation, he said.

There would be several areas of potential coverage dispute arising from the scenario, Mr. Coburn said, including peril definition and attribution — who caused the loss and why, the territorial distance of limits for insured sites, and deductibles for the duration of the event.

The potential losses “are not limited to affirmative cyber coverages,” Mr. Coburn said, and there are areas of ambiguity and “silent coverages” that could potentially be damaging for some insurers.

“It is to everyone's advantage to be clear about what is covered and what is not,” he said.

Tom Bolt, director of performance management at Lloyd's, said the report had been commissioned, in part, to give Lloyd's greater insight into possible loss aggregations from a major cyber event.

“We think we should be insuring cyber, but we think it is incredibly important to understand the aggregation of risk,” said Mr. Bolt, who said that he was worried about how to protect the Lloyd's Central Fund, which covers syndicates that are unable to meet their liabilities, from the actions of a “kid in a bedroom somewhere.”

Mr. Bolt urged underwriters and insurance buyers to share information about cyber attacks in order to build up greater knowledge about how to price risks as well as potential aggregation of risk.

A cyber attack that affected several industry segments could cause aggregation vulnerabilities and threaten some insurers' solvency, for example, he said.

“We want to make sure that is not a risk we take,” he said.