Breaking the Silence: Cyber Physical Cat Models Emerging
A frightened truck driver dodging a barrage of bullets fired from the assault rifles of a drug-smuggling criminal gang doesn’t seem like the obvious description of the final stages of a cyber attack.
But the real-life scenario that played out after the driver unwittingly picked up a cargo container that should have been filled with fruit or construction materials but instead had cocaine and heroin is one of the events sparking the growing interest of property, marine, energy and industrial insurers in “cyber physical” losses, a risk modeler revealed recently.
During a Cyber Risk seminar held by RMS in May, Christos Mitas, vice president of model development, clued attendees in on what in the world the shooting had to do with cyber hacking as he detailed a new “port interruption” scenario in Version 2.0 of RMS’s Cyber Accumulation Management System (CAM). The scenario is one of five new cyber physical loss scenarios now included in the RMS system.
According to Mitas, the real-life event was a cyber attack on the port of Antwerp that lasted two years. It started with criminals — “just plain old criminals that wanted to bring arms and drugs into Europe”–who hired hackers to break into the port management system of the Belgian port. “They didn’t use anything extremely sophisticated. They did that via spear-phishing,” he said, referring to a technique where hackers send out emails that trick recipients into clicking links that give them access to target company networks.
“Once they had access into the port, they manipulated the cargo details and they hid cocaine, heroin and weapons in cargo containers that otherwise had trivial stuff like bananas or timber,” Mitas said, noting that the operation went on for many months. The truck driver was an unplanned participant who caused the plot to unravel. He mistakenly got one of the containers that had the illegal material. “One of the criminals that was supposed to pick up the cargo container really freaked out and started shooting.”
The ensuing police investigation uncovered the entire operation and shut it down. But it’s still a worrisome scenario for marine and property insurers, which may or may not include coverage for cyber-related cargo theft and business interruption in their non-cyber policies.
Throughout the half-day conference, speakers referred to cyber physical loss accumulation scenarios now included in CAMS — port interruption, cyber-induced fires in commercial buildings, business blackouts (regional power outages stemming from cyber attacks on power grids) and hacks into control systems that could trigger oil rig explosions or fires at industrial processing plants — using the term “silent cyber” risks. The “silent” descriptor refers to the fact that many traditional insurance policies covering property damage, theft and business interruption do not have specific exclusions for situations where cyber attacks on operational technology (OT) cause losses, nor do they have clear grants of coverage.
Insurance policies that specifically cover cyber events or attacks on information technology (IT) — sometimes referred to as network, security and privacy policies and other times as standalone cyber or “affirmative cyber” — typically have carried an absolute bodily injury and property damage exclusion.
Tianjin-Type Losses
As both traditional and affirmative cyber players examine their ability to take on or exclude cyber physical risk, RMS aims to provide a tool to help them assess their current exposures with the new cyber physical scenarios in CAMS. For the port-interruption scenario, cargo losses in excess of those recorded for one of the most impactful recent non-cyber events for insurers — the August 2015 Tianjin explosion — are possible, Mitas said.
Before counting up potential loss damage figures, Mitas described the imagined port-interruption scenario in CAMS, which starts with a criminal gang seeking financial gain. Outlining each phase of the attack, the scenario envisions that hackers are hired by the criminals to take advantage of vulnerabilities of the port management system that were discovered and published in hacker chat rooms. The criminals target two or three major ports and four specific types of cargo contents: consumables, electronics, pharmaceuticals and jewelry. Once into the system, the hacking group can scramble shipping orders and mislabel cargo containers, allowing the criminals to take possession of the ones they want.
A year into the process, the Port Authority catches on to the fact that rates of mislabeling have been much higher than in a typical year.
The gang, realizing it has been discovered, wreaks havoc in the port, increasing the level of mislabeling and falsification of the documents to cover its tracks.
The port management system needs to be taken offline, the three targeted ports need to close for several days as the rightful cargo owners are identified and the damage assessed. “During that time perishable goods get spoiled, the port authorities face breach-of-privacy claims, and as the forensic team comes in to clean up the whole mess, there’s severe damage that has been discovered, loss of business and of course loss of reputation,” Mitas said.
How much damage?
Using an industry exposure database supplied by marine cargo modelers at RMS for the three largest ports for which RMS has cargo value data — Shanghai, Singapore and Rotterdam — the total economic ground-up loss that RMS computed by running this scenario through the second version of CAMS was $5.7 billion, “which is the same order of magnitude of the Tianjin explosion,” Mitas said, referring to just the cargo loss piece for both events. (Editor’s Note: At the time of the event, Guy Carpenter estimated losses between $1.6 billion and $3.3. billion.)
But the marine cargo line isn’t the only one impacted, Mitas noted. While cargo theft and perishable goods loss represents more than two-thirds of the economic losses, Mitas displayed a pie chart revealing 16 percent of the losses in the directors and officers liability insurance line, 8 percent for business interruption, 5 percent for technology errors and omissions, and smaller amounts for incident response and regulatory costs.
Before Mitas described the makings of the port-interruption scenario, …ireann Leverett, senior risk researcher at the University of Cambridge Centre for Risk Studies, gave equally vivid descriptions of other potential cyber physical losses, showing seminar attendees “how to use a mouse as a weapon of mass destruction” to blow up an oil rig or trigger an industrial facility explosion and “how to set fire to a thousand buildings.” In each case, the key is malicious manipulation of information or logic — temperature and pressure values on sensors or logic that tells switches and valves when to open and shut in industrial processes, for example. In the case of the office fires, manipulation of firmware in common brands of laptops makes it possible “to create a thermal runaway on lithium batteries,” Leverett said. When an attack is coordinated to occur on a specific night, even small numbers of overheated laptops can create an accumulation problem for insurers if the charging laptops are unattended in multiple buildings.
Part of Leverett’s presentation was ripped from the headlines, and part came from his prior experience working as a penetration tester for IOActive doing ethical hacking into the systems of oil, gas, electrical and water facilities.
One of the headline risks Leverett described involved a disgruntled employee who disabled the leak detection alarms for three offshore oil platforms. The hacker, Mario Azar, worked as a consultant in what’s called a network operation center (NOC). When he lost the position and wasn’t offered a permanent one, he still had access rights to the control systems, allowing him to shut the alarms. “This could have indeed ended up killing all of the people on the rig had they been poisoned, had they had a leak at the same time,” Leverett said.
Where’s the Coverage?
At a separate session of the RMS conference, insurer and broker representatives addressed questions about traditional property insurers that might potentially be on the hook for cyber physical losses. Moderator Peter Ulrich, an RMS senior vice president, wondered whether these insurers will try to put exclusions on their non-cyber policies.
“On paper, absolutely,” said Lori Bailey, global head of special lines for Zurich Insurance Group. “If there’s something you don’t want to cover in a policy, you put an exclusion in and make it very clear that you don’t intend to cover that.”
But there are challenges in trying to do that “in practice” for older forms out in the market, she continued. “You haven’t historically excluded it, but now [you] go in to exclude it [and] you are essentially implying that you were covering it at some point in time. You’re going to get a lot of pushback from [insureds] who say, ‘Wait a second. You’re taking something out of my policy, or you’re now going to offer me a new product that I have to pay extra for to affirmatively cover this.'”
She noted that affirmative cyber products have always historically had an absolute bodily injury and property damage exclusion. “Because it came out of the professional liability world, it was always very much designed for financial loss and very specific named peril network security and privacy events.”
Bailey said the market is in the early stages of cyber emerging in other products besides an affirmative policy. “We are starting to see it [cyber coverage] emerge now in marine policies, property policies, liability policies. There’s still a lot of work to be done on that side in terms of quantifying how much is actually there, and what exactly. In some cases, it’s a purely defensive mechanism; in other cases, they’re being a bit more proactive around actually giving affirmative cyber cover, but usually it’s limited to certain perils.
“So, there’s a lot of flux really in the market right now. And I think where you’ll start to see the market really diverge is those that stay in that more traditional security/privacy traditional affirmative cyber vs. more of an all-risk type approach, which is where I think ultimately you’ll see the market start to go, or certain markets to go, over the longer term,” Bailey said.
From a customer perspective, Anthony Shapella, risk officer for liability and financial lines at American International Group, said clients are pushing for affirmative coverage in each and every policy. Basing his assessment on conversations he’s had with AIG cyber underwriters, he said clients are demanding this “because they don’t know exactly what the ultimate cause of loss will be and they want assurance that they’re going to get coverage.”
Shapella gave the example of car manufacturer Renault suffering a business interruption loss during the WannaCry event. “This peril [cyber] can hit companies at so many different angles, and companies want assurance that no matter what angle they get hit, they’re going to have coverage,” he said, noting that an auto manufacturer that makes self-driving cars will want assurance that if the mechanism they use to make that car drive by itself fails and someone is injured, then there’s going to be coverage.
The impact of WannaCry and other cyber attacks on IT systems on the affirmative cyber market and RMS’s existing IT risk scenarios in CAMS were the main topics of the panel discussion. Addressing cyber physical, however, Alice Underwood, an executive vice president of Willis Re, said that “every manufacturing company is an IT company these days because there are very few sophisticated products that don’t have some relationship to the Internet of Things.”
“As far as what the [non-cyber] insurers are doing, there’s a spectrum. There are insurers who are sort of not thinking about it. They think because they’re not writing specific cyber insurance policies that they don’t have cyber exposure, which is totally not true, especially if they’re using old forms” without exclusions. There are [others] that are putting endorsements on but are neglecting to add those new exposures to their aggregation calculations, she said.
Bailey believes a culture shift is taking place. “Historically, we’ve got property underwriters that underwrite property, casualty underwriters that write casualty and professional liability underwriters writing professional. Cyber is the first peril we’ve seen really transcend itself across all these different lines of business.