Lloyd’s, in partnership with Guy Carpenter and cyber analytics specialist CyberCube, has launched a new report, The Emerging Cyber Threat to Industrial Control Systems, which provides an original analysis of potential cyber-attack pathways to an industrial target.
As cyber threats continue to evolve and become more sophisticated, it is crucial for insurers to understand these emerging risks in order to keep pace with their clients’ exposures.
The report considers potential real-world scenarios which visualise a range of cyber-attacks causing physical damage to major industrial and manufacturing organisations, and examines how ‘Internet of Things’ devices are posing an increasingly high risk of cyber-attack to these businesses.
Cyber-attack risks have previously been considered unlikely to materially impact the physical market, with cyber perils traditionally emerging in the form of non-physical losses. However, the report looks at how physical risks have become an increasing concern for industrial businesses as shown by recent high-profile breaches. As bridges are increasingly being built between information technology (IT) and operational technology (OT), along with increases in automation and sophistication of threat actors, it is paramount that (re)insurers carefully consider where major losses may occur.
Designed to aid individual syndicates’ understanding of the impact of emerging cyber risks on their portfolios of business, the report outlines three scenarios that represent the most plausible routes by which a cyber-attack against industrial control systems (ICS) could generate major insured losses. All three scenarios have historical precedents and the report describes how more severe events could unfold. Considering the four key industries dependent upon ICS (Manufacturing, Shipping, Energy and Transportation), the report assesses precedents and the potential impact on each.
Jamie Pocock, Head of GC Cyber Analytics – International, said: “A major ICS attack could impact a broad range of industrial businesses and classes of insurance. As these attacks cross the divide between information technology and operational technology, they could conceivably involve significant property damage and loss of human life. The key is continued research, surveillance, and risk selection to help improve underwriting standards and portfolio management.”
The report concludes by making a number of recommendations and suggesting potential areas of focus for the Lloyd’s market but also for anyone with an interest in cyber exposure management or underwriting.