Lloyd’s worked in partnership with CyberCube and Guy Carpenter on its new report for syndicates, designed to support their understanding of emerging cyber risks

Lloyd’s of London has warned syndicates of the “increasingly high risk” threat of cyber attacks that Internet of Things (IoT) devices are posing in its latest report.

Its report, The Emerging Cyber Threat to Industrial Control Systems, is aimed at helping syndicates to understand the impact of emerging cyber risks on business portfolios.

Lloyd’s worked in partnership with cyber analytics specialist CyberCube and reinsurance broker Guy Carpenter to produce the report, which explores the risks of IoT devices as cyber threats continue to evolve.

It stated: “It is crucial that syndicates recognise that cyber-physical risks are growing and require considered and committed action.”

The report considers potential real-world scenarios, hypothesising the physical damage to major industrial and manufacturing organisations, as well as identifies the classes of business that could be exposed, such as accident and health, aviation and other specialty lines.

Kirsten Mitchell-Wallace, Lloyd’s head of portfolio risk management, said: “The Lloyd’s market is advanced when it comes to insuring cyber risks and it is therefore vital [that] Lloyd’s syndicates underwriting this class of business have the ability to analyse their portfolios against the most sophisticated and technologically advanced risk scenarios.

“We know that the risk of ICS-based (Industrial Control System) cyber-physical events is increasing and because of this, we’ve partnered with CyberCube and Guy Carpenter to create illustrative scenario pathways based on highly realistic threats and modes of attack.”

The report recommended continued research and diligence to improve risk management and underwriting standards in this emerging area of cyber risk.

Physical risk concerns

Previously, cyber attack risks have not been considered to materially impact the physical market, as most losses are non-physical.

However, the report warned that now physical risks have become a “rapidly growing concern” for industrial businesses, demonstrated in high-profile breaches – one being Amazon’s Ring.

In the report, the three firms conducted an analysis which detailed three scenarios that represent the most plausible routes of a cyber attack against an ICS in relation to major insured losses.

For example, in one scenario, once attackers gained access to a target firm’s IT system, they exploited ICS to inflict physical damage on the plant, which could in turn involve gaining control of water pumps or temperature regulation systems.

It considers four key industries that are dependent upon ICS - this includes manufacturing, shipping, energy and transportation. The report assesses the potential impact on each.

The report focuses on three potential routes of attack by organised hackers:

  • A targeted supply chain malware attack, in which malicious actors breach a device manufacturer and compromise that manufacturer’s products before distribution.
  • A targeted attack in which attackers exploit a vulnerability in widely used IoT devices found in industrial settings.
  • The infiltration of industrial IT networks to cross the Operational Technology (OT) “air-gap”.

Systemic risk

Pascal Millaire, CyberCube’s chief executive, said: “The potential for a major ICS attack is all too real today given several real-world examples of such attacks. As we roll out hundreds of billions of additional IoT devices, it will become even more important in the future and could eventually become a systemic risk for the global economy.”

Millaire added that working alongside Lloyd’s and Guy Carpenter to design these scenarios was an important development for the industry on this emerging risk.

Meanwhile, Jamie Pocock, Guy Carpenter’s head of GC cyber analytics, international, added: “A major ICS attack could impact a broad range of industrial businesses and classes of insurance.

”As these attacks cross the divide between information technology and operational technology, they could conceivably involve significant property damage and loss of human life.

“The key is continued research, surveillance and risk selection to help improve underwriting standards and portfolio management.”

The report concluded that “there is a comparative lack of understanding and awareness of cyber-physical risks”.

It recommended that syndicates monitor product coverage carefully across classes that relate to cyber physical peril, as well as the monitoring the threat landscape and correlation for risks stemming from attacks that bridge the IT/OT gap.