The insurance industry underwrites cyber risk by forming a view of the severity and frequency of cyber events. The figure below summarizes that view for the different loss categories for large UK businesses, noting that one event can trigger more than one loss category. Furthermore, in almost all cyber events, the company incurs incident investigation and response costs, which can account for around 10 percent to 20 percent of the cost of a cyber-security breach for a large business (1), according to a survey of UK companies.
Physical losses are a growing concern - both in terms of severity and frequency - given the interconnectedness of cyberspace and the physical world. One example of this new category of risk can be seen in the way that industrial control systems operate in the energy sector. Today, these new generation control systems are built on the concept of openness and interoperability, and this has exposed the sector to a host of cyber security risks that are only just beginning to be understood.
A recent example of a physical loss resulting from a cyber-attack occurred at a steel mill in Germany after hackers managed to gain access to the control systems following a successful “spear phishing” attack, which targeted particular individuals for login details. Once access was secured, the hackers were able to cause the unscheduled shutdown of a blast furnace that resulted in “massive damage,” according to the German Federal Office for Information Security.
For the time being, the probability of death and bodily injury resulting from a cyber-attack is considered to be negligible. We should note, however, that in the future, as more devices go online, cyber hacks and system malfunctions could pose a more material threat to human life.
1. 2014 Information Security Breaches Survey, UK Department of Business Innovation and Skills, 2014.