Hostile’s the word
Christian Wells, Special Counsel for the Pool Reinsurance Company, looks at the current terrorism risk management trends and analysis, ahead of the annual International Forum of Terrorism Risk (Re)Insurance Pools in October
As the world digitalises at an ever increasing rate and our daily lives become ever more influenced by online activities, there is a concurrent issue: we are all - individually and as groups - more vulnerable and exposed to malicious cyber activities. It is paramount that we are aware of those associated risks and consider the need for cyber risk protection.
Cyber terrorism and cyber warfare have been evolving quickly. Counter terrorism experts and security organisations are constantly developing risk assessment tools and technology in the race against terrorist threats.
Meanwhile, the insurance industry is also optimising terrorism insurance products and adapting coverage to meet the ever-changing risks. Insuring cyber exposure is challenging due to the risk of accumulation and terminological ambiguity surrounding cyber policy wording, especially in the context of war and terrorism. Radical thinking and actions are required to mitigate cyber risk and promote societal preparedness and prevention measures against malicious cyber activity.
The main risks – cyber criminality, terrorism and war – move beyond the mere physical domain. The cyber domain is instead used as a platform from which loss is generated. The loss itself may be physical, non-physical or a hybrid and can range from disruptive to destructive. The impact and groups affected will vary with the type of loss.
Working towards a common language
Against this backdrop, The International Forum of Terrorism Risks (Re)Insurance Pools (IFTRIP) and The Geneva Association (GA) published a new research report recently, proposing a common language for insurers to approach cyber warfare and cyber terrorism.
Currently, the definitions and understanding of cyber terrorism and cyber warfare may differ depending how they are applied in different settings, for example military or political. But cyber incidents are not bound by geography and can simultaneously generate disruption in multiple jurisdictions and across various businesses.
Moreover, in many cases, what has been called cyber terrorism or cyber warfare was in fact something other than terrorism or warfare carried on by cyber means: it was instead state-backed cyber activity - short of war - aimed at damaging covertly the economies or infrastructure of other states, often through attacking corporations.
Thus, an acute need had developed for precise terminology around cyberattacks, which open up governments, businesses, individuals and communities to new exposures and uncertainties.
In 2018 Pool Re had reintroduced limited cyber cover by using positive language to reduce the scope of an otherwise blanket exclusion. But that was relatively unusual: other IFTRIP pools covered cyber terrorism automatically if the underlying insurance did, and thus needed no definition.
The notions of cyber terrorism and cyber warfare are still divergent between states. A global consensus on the exact behaviour or a set of criteria that define a cyber event as either terrorism or warfare is what we need to improve our counterterrorism measures.
The term ‘Hostile Cyber Activity’ can be a potential tool for the insurance industry to mitigate this ambiguity, which can cause significant issues.
Hostile cyber activity
The definition of Hostile Cyber Activity (HCA) sits somewhere between cyber terrorism and cyber war:
• Its intent is to cause serious damage in or to another state regardless of publicity or the causing of terror;
• It tends to be perpetrated by, on behalf of or with the financial (or moral) support or encouragement of nation states; and/but
• It can be distinguished from terrorism and falls short of war as currently defined. It is reasonable to presume that the activity is currently regarded by the state involved as a satisfactory proxy for war – hence the label ‘hostile’.
HCA generally, but not invariably, refers to covert attacks aimed at economic targets or at undermining or destabilising public life (including democratic processes) or public trust, using cyber means or triggers perpetrated generally by, on behalf of or with the practical support and/or moral encouragement of nation states.
The term ‘hostile’ also offers a clear distinction from simple error, systems failure and criminal hacking, which is not in itself hostile. An activity becomes hostile when it is perpetrated by or on behalf of a state and is aimed at causing one of more of the following:
1. Disruption to any level of government
2. Death or injury (physical or mental)
3. Property damage and losses
4. Direct and indirect business interruption (BI)/disruption
5. Economic/financial loss and damage
6. Environmental damage (e.g. pollution)
7. Undermined or diminished public trust
8. Civil unrest
9. Political strife
10. Loss/damage to relationships or reputation (or plain embarrassment)
HCA is likely to cause destructive and/or disruptive impact and can potentially generate large individual and aggregate losses. ‘Destructive impact’ refers to physical damage to the IT hardware or components of a computer system, property damage, death or personal injury, etc. For example, it could be shutting down the cooling systems of gas turbines, opening the sluice gates of dykes and closing the safety valves on pressurised water tubes.
Meanwhile, ‘disruptive impact’ refers to the unavailability of systems, services and infrastructure. Examples include ATM blocking, the hacking of bank accounts, causing computer outages or data corruption in hospitals and the emergency services and attacking the power grid, resulting in blackouts and the interruption of food and fuel distribution chains.
Narrowing the gap between terrorism and war in the cyber context offers the opportunity for increased insurability as underwriters can assess such risks, make informed decisions about coverage and provide clarity and set parameters of coverage for an insured. The term could be a stepping stone for risk managers and the insurance industry to optimise risk mitigation, providing clarity around insurance coverage and reducing the protection gaps. If it succeeds in reducing uncertainty, the outcomes and issues associated with coverage in future disputes could be anticipated without lengthy legal battles and potential reputational damage
Maintaining the momentum in counter terrorism
Losses related to cyber terrorism are also becoming more likely to exceed the capacity of commercial insurance markets due to the rapid development of malicious cyber activities. Private/public partnerships, like Pool Re, are one of the ways of handling the issue. With an increasing level of cyber terrorist threats, it is crucial for counter terror experts, the insurance industry and the authorities to exchange knowledge and collaborate. Establishing a common language is one way to improve our ability to holistically analyse the potential accumulation risk from hostile cyber acts, which enables us to understand the risk exposure and appetite.
For the full research report ‘Cyber War and Terrorism: Towards a common language to promote insurability’, please click here.
IFTRIP is hosting their annual forum online on 13-15 October, discussing six pivotal themes in in the field of counter terrorism, security, risk and (re)insurance. Please register here.