Cyber risk; silent threat for engineering insurance

4 October 2016 - The Internet of Things (IoT) and cloud computing have a direct influence on the engineering insurance risk landscape but are being underestimated by underwriters according to The International Association of Engineering Insurers (IMIA). A specialist working group established by IMIA to identify the challenges from cyber risks and how they apply to engineering insurance lines reported to the Association’s members at the annual conference in Doha, Qatar today.

Alexander Schmidl, the chair of the IMIA working group, called for increased dialogue between underwriters, brokers and risk managers to promote a greater understanding and awareness of cyber risks in the engineering insurance sector.

Mr Schmidl said: “The perception that cyber events do not cause physical damage is being challenged; such damage from cyber risks is a reality and is an issue for all lines of engineering insurance.

“Engineering underwriters must address the issue of cyber on all covers they write.

Keeping pace with cyber trends is key if they are to remain current in assessing and carrying related risk. Continuous learning will qualify insurers to be long-term risk partners for the industry and its increasingly complex risks.”

Cyber risk can be present anywhere technology and software are used so has the potential to impact right across all phases of an engineering project. The use of computer-based systems to control industrial processes and operations, known as Industrial Control Systems (ICS), are another area of increasing vulnerability and loss exposure for engineering classes that underwriters need to consider - according to Dell’s annual threat report, worldwide cyber-attacks against these systems doubled from 2013 to 2014^[1].

The IMIA Working Group reviewed standard questionnaires and clauses for engineering covers and found that the IT component was hardly mentioned. This is an underestimation of the increasing importance of IT in industrial processes and infrastructure. Potential loss scenarios based on the increasing interconnectivity of and remote access to industrial control systems are also under-evaluated.

The Working Group also highlighted the challenges inherent in the pricing of engineering insurance in relation to cyber threats. Mr Schmidl said: “Traditional engineering lines pricing is usually retrospectively derived from loss and exposure data covering areas such as loss frequency, exposure data and the severity and distribution of losses. To create an effective cyber pricing model for engineering lines will required increased focus on collating cyber loss data in all these areas.

“Industry-specific cyber loss scenarios have to be identified and defined. Transparency in respect of cyber losses and the sharing of data after any loss pay outs and forensic investigations should be a goal, particular for those involved in claims. However, this has its challenges with the incomplete nature of contemporary loss data for cyber events, with many cyber events remaining unpublished to protect corporate confidentiality and reputations.”

“To achieve a balance between insurance needs and risk mitigation there needs to be greater awareness and a common understanding of cyber amongst all parties. The insurance industry is making important strides with insurers and brokers offering targeted cyber risk consulting and tailored solutions. But there needs to be greater risk dialogue and analysis of the threat as part of the risk management process. Keeping risk management at a strategic level is key as a cyber insurance solution should not replace solid IT security standards.”

Mr Schmidl concluded: “Ignoring cyber risk will create a significant issue for technical insurers. Engineering insurance carriers have to decide how to manage the growing risk from the various threat sources. Failing to do this will not allow for the creation of an adequate long-term cyber risk business model with an appropriate risk return. It will become a greater challenge to price, and legal uncertainties may make this strategy more complicated in the future.

The conference which this year runs from 1 to 5 October, is sponsored by Qatar Central Bank and hosted by Qatar General Insurance and Reinsurance Company (QGIRCO). This year will be the first time the conference has taken place in an Arab country.

The annual event provides a forum for sharing current knowledge and best practice affecting the sector developed by the Association’s expert working groups. In addition to cyber and war and terrorism risks, delegates will be discussing cost overrun and project financing, natural catastrophe modelling and the latest developments in boiler technology.

ENDS

For further information, please contact:

Full Circle Communications

Alex Wise

Mobile        +44 (0) 7710 665 615

Tel:              +44 (0)20 7265 7887

Email           awise@fullcirclecomms.co.uk

Notes to editors

^[1]https://software.dell.com/docs/2015-dell-security-annual-threat-report-white-paper-15657.pdf

The International Association of Engineering Insurers (IMIA) comprises a network of engineering insurance experts from around the world, who share their experience and knowledge, and together investigate critical and emerging issues relevant to the engineering insurance sector.