(Image source: Divulgação Petrobras.)

RMS (Newark, Calif.), has announced the expansion of its range of cyber models to include a new class of “cyber-physical” models. These new models explore a range of cyber attack scenarios that can cause physical damage to property, allowing property (re)insurers to manage this growing risk for the first time, the vendor claims. The vendor characterizes this new capability builds upon the existing suite of RMS cyber models which focus on attacks against IT systems.

Cyber attacks that are intended to inflict physical damage to property have emerged faster than insurers’ ability to update policies, and with multiple lines of business potentially affected this activity by hackers poses a systemic threat across insurance portfolios, RMS argues. Cyber risk is no longer confined to specialist writers of affirmative cyber insurance but is now a peril that can cause losses in traditional property insurance policies which are either ambiguous or silent about whether they will pay out for cyber-triggered losses, RMS asserts in support of its new offering.

“In the past two years, we have seen attacks that have damaged industrial plants, shut down building control systems, and caused power grid failures – all achieved by hackers targeting control systems that are linked to the internet,” comments Andrew Coburn, senior VP, emerging risks, RMS. “Insurers have begun to understand the risk of cyber-attacks on information technology systems, for example financial theft, data extraction and cyber-extortion. But with the rise of the Internet of Things, more devices are connected to computer networks which opens up new vulnerabilities for hackers to exploit. They can target operational technology, and thus the essential fabric of any business—even it’s bricks and mortar.”

Lines of Business Most Vulnerable to Cyber-Physical Attack

To allow insurers to identify silent exposures RMS says it has analyzed the lines of business thought to be most vulnerable to cyber-physical attacks, such as commercial property, marine, energy, industrial and facultative facilities.The five new risk scenarios in the RMS Cyber Accumulation Management System allow insurers to identify silent exposures in these and other lines.

The scenarios are based on detailed technical analysis of vulnerabilities, possible attack vectors, and potential insurance payouts:

Cyber-induced fires in commercial office buildings: hackers can gain access to internet-connected office equipment, such as laptops, manipulating them to overheat and start fires. If the offices are unmanned this could lead to destruction of entire premises, as well as the facilities and systems they house.

Triggered fire in industrial processing plants: heat-sensitive devices, such as thermostats, can be sabotaged to ignite flammable products in storage.

Triggered explosions on oil rigs: a network operations center controlling an entire field of oil rigs could be targeted to cause structural misalignment of well heads, leading to the explosion of multiple oil rigs.

Cyber-enabled marine cargo theft from a port: port managements systems are highly computerized and so valuable cargo can be stolen as a result of cyber attacks, for example through the use of malware to disrupt operating systems or to access sensitive cargo data.

Regional power grid outages:  the control systems of power-generating companies could be attacked, allowing criminals to damage generators. This could cause a cascading regional power outage with huge losses to insured customers, as well as the power supplier.

RMS claims its launch of cyber-physical model as an industry-first demonstrating how the models in its RMS Cyber Accumulation Management System are constantly evolving to ensure clients can properly consider aggregations.

RMS Appoints former AXIS Modeling Exec Colin Kerley to Solutions Team