In the advent of a major cyber-attack against the United States power grid, people could conceivably die as health and safety systems fail, business come to a standstill, and transportation networks stop working. An insurance company calculated such an attack would cause between $243 billion to more than $1 trillion in economic damage.
Lloyd's and the Cambridge Centre for Risk Studies at University of Cambridge Judge Business School examined the implications of a fictional attack where adversaries damaged 50 generators supplying power to the electrical grid and caused a blackout across 15 states along the East Coast and Washington D.C. and affected 93 million people. Lloyd's produced the Business Blackout report to help insurance underwriters understand how cyberattacks impact insurance and risk.
“As insurers, we need to think about these sorts of complex and interconnected risks and ensure that we provide innovative and comprehensive cyber insurance to protect businesses and governments," said Tom bolt, director of performance management at Lloyd's.
Lloyd's took the calculations a step further to calculate the amount the insurance industry would have to pay out in claims in the advent of a major cyber-attack. Lloyd's estimated an attack on the U.S. power grid affecting most of the East Coast would result in claims estimated at $21.4 billion. The amount of claims paid by the insurance industry would jump to $71.1 billion in the most extreme version of the scenario.
Lloyd's identified six primary categories of insurance claims in its report. Power generation companies would likely file claims for property damage to generators, business interruptions as a result of not being able to sell electricity, and costs incurred from incident response and regulatory fines. Power companies may try to recover a proportion of the losses incurred by filing claims against partner companies' liability insurance policies. Businesses who lost power may file claims to recover losses stemming from property damage, such as perishable cold storage, business interruption, the inability to comply with existing regulations. Homeowners could also conceivably file claims for property damage under contents insurance.
Companies indirectly affected by the blackout can also be due for insurance payments, for business interruption or supply chain disruptions. Companies with inadequate contingency plans may generate claims under their directors' and officers' liability insurance, Lloyd's noted in the report. The final category covered specialty covers, such as event cancellations.
Many organizations believe their existing insurance would cover cyber-attacks than is likely to be the case, Bolt wrote in the report. Understanding the impact of severe events is one of the key requirements for insurers to develop cyber risk coverage.
The scenario is plausible, but extreme, and falls under the kind of situations insurance companies consider when developing risk models, the company said. This poses a number of complex challenges for insurers, which would need to be addressed if insurers are to more accurately assess cyber risk and develop new cyber insurance products, the report said.
Lloyd's exercise, while interesting, gives insurance companies a starting point in understanding what kind of claims they will have to cover. Companies are looking to insurance companies to cover the cost of data breaches, and in many cases, insurance companies are pushing back. For example, California healthcare provider Cottage Health System filed a claim with its insurance company after a misconfigured server exposed tens of thousands of patients' files on the Internet. The insurer, Columbia Casualty, denied the claims because a clause in the policy indicating Cottage Health System failed to follow "minimum required practices." The insurer noted the healthcare company "stored medical records on a system that was fully accessible to the Internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the internet." As a result, the claim wasn't valid.
More insurance companies are developing models and ways to assess risk for cyber-attacks, Jeremiah Grossman, founder of White Hat Security, told SecurityWeek during RSA Conference in April. This will have an impact on overall security. Pegging specific dollar amounts to cybersecurity and understanding what kind of coverage are provided by insurance policies would give organizations a clearer view of what constitutes risk. If nothing else, organizations will be more motivated to take certain steps to secure their data and infrastructure once they know what insurance will cover or not cover.
“This scenario shows the huge impact and havoc that could result from a major cyber attack on the US," Bolt said. "The reality is that the modern, digital, and interconnected world creates the conditions for significant damage, and we know there are hostile actors with the skills and desire