Cyber-physical Attacks on Critical Infrastructure: What’s Keeping Your Insurer Awake at Night?

Cyber-physical attacks on critical infrastructure that have the potential to damage those physical assets and to cause widespread losses to third parties are keeping your insurer awake at night.  A cyber-physical attack on critical infrastructure occurs when a hacker gains access to a computer system that operates equipment in a manufacturing plant, oil pipeline, a refinery, an electric generating plant, or the like and is able to control the operations of that equipment to damage those assets or other property.  A major cyber-physical attack on critical infrastructure is a risk not only for the owners and operators of those assets, but also for their suppliers, customers, businesses and persons in the vicinity of the attacked asset, and any person or entity that may be adversely affected by it (e.g., hospital patients and shareholders).

Because damages caused by a cyber-physical attack can be widespread, massive, and highly correlated, affecting multiple sectors of the economy and many lines of insurance, the insurance industry is giving this risk heightened attention.  The U.K. insurance marketplace Lloyd’s, London and the University of Cambridge, for example, conducted a major study of the losses resulting from a hypothetical cyber-physical attack on 50 electrical generators in the Northeast U.S. Other insurance market participants have also published reports addressing cyber-physical risks to critical infrastructure.  The insurance industry’s focus on cyber-physical risks perhaps should be action-guiding for corporate policyholders as well.

To read the full alert on K&L Gates HUB, click here.