The lack of cyber insurance penetration has contributed to large economic losses and ongoing risk management challenges for critical infrastructure, particularly in marine and energy. What may look like near misses for the re/insurance industry can be manifestations of a global cyber threat that require a focused and innovative risk transfer solution.
The 2017 NotPetya cyber attack led to insurance industry losses of more than US$3 billion, according to PCS Global Cyber, but most of it went to the property market. Marine and energy insurers may have been spared, but their clients were not. Maersk and FedEx (TNT) were among the companies affected, with economic losses approaching US$1 billion according to PCS research.
The LockerGoga ransomware hit a series of energy and industrial targets in 2019, encrypting their data and paralyzing their systems before moving on to other devices in the network. Six companies were impacted, with an aggregate industry-wide insured loss of just over US$100 million, according to PCS Global Cyber data. Economic losses were even higher given, in part, the lack of cyber insurance penetration among the companies affected.
The Colonial Pipeline ransomware attack in May 2021 shows some evolution in cyber insurance penetration in the critical national infrastructure space. The cyber insurance cover in place certainly appears to have helped, but the extent of the impact – with fuel shortages and lines of up to three hours at gas stations – showed the potential for economic loss well in excess of the insurance coverage in place. Critical infrastructure appears to remain under-insured, representing for insurers both a growth opportunity and the chance to fulfill the industry’s stated mission more fully.
The cyber threat has continued to evolve and right now, critical infrastructure has been made more vulnerable, in part, by two full years of worldwide pandemic. Add to that cyber risk, and the potential for significant insured and economic losses – as well as broad disruption to society – escalates quickly. Cyber is no longer an emerging risk – it’s an immediate risk that warrants at least an emerging solution.