In the fast-developing cyber insurance marketplace, insurers have closely considered the possible risks and have analyzed the potential aggregation of such risks. While not the only topics of interest to insurers, these two are spotlighted in a new report that focuses on the hypothetical prospect of a cyber attack on the U.S. electric power grid and the potential type, volume, and geography of losses across multiple lines of insurance coverage.
The study, co-authored by the University of Cambridge Centre for Risk Studies and Lloyd’s, is based on a scenario in which 93 million people in 15 states in the eastern U.S. are without power due to a cyber attack. The study attempts to quantify losses to productivity, trade, and consumption, including projected losses that would follow from such an outage, including interruptions to public safety and transportation systems, water supply, and effects on tourism, social unrest, damage to food and other perishables, and trade and commercial activities as ports and other transportation facilities shut down.
The study estimates that the economic losses to the U.S. economy would range from $243 billion to over $1 trillion over a five-year period. The insured losses from such an event would total more than $70 billion, the study estimates. According to the U.S. Department of Energy, there have been at least 15 suspected cyber attacks on the U.S. electricity grid since 2000.
Major blackouts have ample precedent in the U.S. The August 2003 blackout that affected large areas of the Midwest and Northeast U.S. and parts of Canada (not related to a cyber attack) affected 50 million people, many of whom were without power for two days. Losses from the 2003 blackout are estimated to be in the range of $7 to $10 billion.
What is unknown is the extent to which a blackout caused by a cyber attack on the scale contemplated by the University of Cambridge/Lloyd’s study, if it occurred now, would affect the increasingly broad scope of automation and online devices that depend on the grid for power, and trigger multiple lines of coverage across a wide range of industries. The study notes that there is a “short history of claims experience [for cyber losses] available to calibrate the likelihood of future risk.” And while “there have been large individual business losses attributed to cyber attacks there have so far been no examples of catastrophe-level losses from a widespread cyber attack have a severe impact on many companies all at once . . . . The greatest concern for insurers  is that the risk itself is not constrained by the conventional boundaries of geography, jurisdiction or physical laws.” (p. 25.)
The authors are careful to say they are not saying or predicting that such a massive attack will occur. (p. 7.) Instead, they stress that “we believe that it is representative of the type of extreme events that insurers should assess in order to understand potential exposures” (p. 43) and that the report is intended to be “useful and challenging” to the insurance industry. (p. 7.) The recent study has been broadly publicized. It will almost certainly be part of continuing discussion about power grid vulnerability in the public domain, among utilities, and in the government. However, it will also spur further debate and analysis about the aggregation risk to the insurance community, including the cyber insurance marketplace, due to insureds’ dependence on the power grid.
The University of Cambridge/Lloyd’s study is available here.