The flood risk that might be unaccounted for

Insurers might be unintentionally covering flood and fire risks arising from computer problems, a cyber expert with a risk modelling firm suggests.

“Anything that is related to a computer system could trigger non-cyber losses,” Matt Honea, cyber director for Cyence Inc., said in an interview. Cyence is the analytics and data services unit of Guidewire Software Inc.

Cyence and Aon recently examined the risk of a hacker opening flood gates at a hydroelectric dam in the United States – which could cause flooding to properties downstream, insured losses of $10 billion and total economic losses of up to US$56 billion.

“We have an issue here,” Honea said of flood risk arising from an attack on a hydro dam. “If it’s in the U.S., I am sure it’s global as well.”

This is one example of the “silent cyber risk,” where a computer problem – such as malware – causes a non-cyber loss such as fire or flood.

“Flood policies have unintentional cyber risk because the proximate and covered cause of loss would be the flood — not the cyberattack causing the flood,” Cyence and Aon said in the report, Silent Cyber Scenario: Opening the Flood Gates, released Oct. 25.

Other silent cyber risks could include power outages caused by computer security incidents, said Honea, who co-authored the Silent Cyber report. Power outages could be considered silent cyber because they could cause losses such as business interruption and food spoilage.

The problem is, some of these losses are not modelled the way natural catastrophes like earthquakes are, said Honea.

To model the losses arising from an earthquake, an insurer could look at a “geographic database,” he said.

Most insurer’s earthquake frequency models come from the same data sets, such as government agencies.

But with cyber it is “very different,” said Honea.

“There is no authoritative database” of cyber incidents. “You have to get creative, you have to figure out all the entry points, you have to figure out what devices are being used.”

In the United States, operators of hydroelectric dams are “increasingly automating control systems, both to realize efficiencies and to capture real-time data that improves dam safety and operation,” Cyence and Aon said in Silent Cyber Scenario report. That report is about a hypothetical scenario where a criminal uses a phishing attack to gain access to the computer system of an engineering firm. One of the firm’s clients is a dam operator, for which the engineering firm provides information technology support.

“Once in the engineers’ network, the threat actor waits for an engineer to log in remotely to the dam’s control systems and captures their login information. The threat actor then uses these credentials to access the system.”

In that scenario, the criminal learns how to raise the gates and outlets of the dam remotely.