Cyber attack on U.S. power grid reveals potentially catastrophic impact on insurance industry: scenario

The U.K.-based Cambridge Centre for Risk Studies reports that a scenario developed for Lloyd’s involving a concerted, malicious cyber attack on the electrical grid in the United States indicates such an attack has the potential to be a catastrophic event for the insurance industry.

Published Wednesday, the Erebos Cyber Blackout Scenario shows a cyber attack on critical infrastructure could impact a large number of insurers and many lines of insurance cover, notes a statement from the centre, a multidisciplinary centre for the study of the management of economic and societal risks that is part of the University of Cambridge Judge Business School.

Business Blackout: The insurance implications of a cyber attack on the U.S. power grid, released jointly by the centre and Lloyd’s of London, notes the scenario’s impact on the U.S. economy is estimated at US$243 billion, rising to more than US$1 trillion in the most extreme version of scenario. Categories of economic loss include direct damage to assets and infrastructure, direct loss in sales revenue to electricity supply companies, direct loss in sales revenue to business, indirect losses through value chains, and long-term economic effects. [click image below to enlarge]

The total of claims paid by the insurance industry is estimated at US$21.4 billion, rising to US$71.1 billion in the most extreme version of the scenario.

Specifically, the scenario involves an electricity blackout that plunges 15 U.S. states, including New York City and Washington, D.C., into darkness and leaves 93 million people without power. A piece of malware (the Erebos Trojan) infects electricity generation control rooms in parts of the Northeastern U.S., going undetected until it is triggered on a particular day when it releases its payload, which tries to take control of generators with specific vulnerabilities.

“It shuts down factories and commercial activity responsible for 32% of the country’s economic production,” states the report. “Companies, hospitals and public facilities with back-up generators are able to continue in operation, but all other activities requiring power are shut down. This includes phone systems, Internet, television and radio, street lights, traffic signals, and many other facilities,” it adds.

“Experts predict it would result in a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses,” notes a statement from Lloyd’s.

“The reality is that the modern, digital, and interconnected world creates the conditions for significant damage, and we know there are hostile actors with the skills and desire to cause harm,” Tom Bolt, director of performance management at Lloyd’s, says in the statement.

“As insurers, we need to think about these sorts of complex and interconnected risks and ensure that we provide innovative and comprehensive cyber insurance to protect businesses and governments. This type of insurance has the potential to be a valuable tool for enhancing the management of, and resilience to, cyber risk,” Bolt adds.

Developed by the centre over the last three years, the methodology underpinning the scenario analyzes the potential impact of various emerging risk scenarios on business, especially insurance, and on the economy. The scenario is not a prediction, but rather a stress test for businesses to explore their processes for dealing with very unlikely, but plausible, extreme events, the centre reports.

“Using a detailed technical analysis of how a cyber attack could be carried out and what it would do, we can set out a realistic stress test for portfolio management,” Dr. Andrew Coburn, director of the centre’s advisory board and senior vice president of RMS Inc., says in a statement from the centre. “This enables insurers to assess their potential losses across all business lines, not just specific cyber risk covers,” Coburn points out.

In the report, Bolt notes that surveys suggest cyber is an under-insured risk. “Understanding the impact of severe events is one of the key requirements for insurers to develop cyber risk cover,” he states.

The scenario reveals three attributes of cyber risk that are particularly significant for the development of insurance solutions: systemic exposure, that cyber attack is an intangible peril, and the dynamic nature of the threat.

“For insurers, responding to these challenges will demand innovative collaborations harnessing multi-disciplinary expertise. Key requirements will be to enhance the quality of data available and to continue the development of probabilistic modelling for cyber risk,” Bolt emphasizes.

Notes the report, “While there have been large individual business losses attributed to cyber attacks, there have, at the date of writing, been no examples of catastrophe-level losses from a widespread cyber attack affecting many companies and insurers at the same time.”

Such an attack could trigger a broad range of claims by disruption in the U.S. power grid, including property damage from power generation companies, business interruption from power loss by companies that lose power, and contingent business interruption and critical vendor coverage for companies indirectly affected, the report states. “This poses a number of complex challenges for insurers, which would need to be addressed if insurers are to more accurately assess cyber risk and develop new cyber insurance products.”

The scenario is designed to help improve the insurance industry’s “understanding of the operational cyber risk and support them in developing strategies for surviving financial and underwriting challenges in an increasingly connected world,” says Coburn. The good news is that “we have shown that if such an event did occur, it would be within the capacity of the insurance industry to withstand this level of losses,” he says.

A number of factors were considered in coming up with the scenario, notes the centre statement, including the groups that might carry out such attacks, their motivation and capabilities; the form the attacks might take; and the difficulties perpetrators would have in overcoming the defences that are currently in place.

“Elements from real-world events have been blended into the scenario, along with errors in human judgment and security architecture and failures in attack detection,” Coburn adds.

Although a variety of cyber-physical attacks against electric grids are possible, “it would be very difficult to carry them out at scale because of the enormous amount of time and skills involved to overcome the defences that are already in place. This is not the end of the power grid. People will not be returned to the stone age,” Coburn says.

“A cyber attack of this severity is an unlikely occurrence, but we believe that it is representative of the type of extreme events
that insurers should assess in order to understand potential exposures,” notes the Lloyd’s conclusions section of the report. “The likelihood and impact of severe events remain subject to much uncertainty, and the pace of insurance innovation should be linked to the rate at which this uncertainty can be reduced,” it states.

“The systemic, intangible, constantly evolving nature of cyber threats presents significant challenges for gathering the data required to achieve accurate quantification of the risk for insurance portfolios, which could span the global economy,” Lloyd’s points out. “A key mechanism, therefore, by which any insurance or research organizations might be able to achieve the insight needed to capture the full extent of the risk could be enhance data exchange,” it adds.

The report notes, however, that given the evolving threat landscape of cyber risk, particularly in the operational technology even domain, insurers need to assess cyber risk technically rather than statistically.

Notes Bolt, “The combination of insurers’ expertise in pricing risks together with the capabilities of the cyber security sector to assess threats and vulnerabilities, and the risk modelling expertise of the research community, has the potential to offer a new generation of cyber insurance solutions for the digital age.”