Go to top of page

ARPC reveals cost of cyber terrorism

ARPC identified cyber terrorism causing physical property damage as an emerging risk requiring further research to inform Government policy and to assist the insurance and property sectors in Australia.

So, in late 2018, ARPC commissioned a research project to examine the nature and cost of physical damage to commercial property (including business interruption), caused by acts of cyber terrorism.

The researchers selected to undertake the project were the Organisation for Economic Co-operation and Development (OECD) and Cambridge Centre for Risk Studies at the Judge Business School, University of Cambridge (Cambridge).

The scope (below) was split between OECD and Cambridge with OECD addressing items one to three and Cambridge points four to seven.

Project scope

  1. an evaluation of available insurance coverage in Australia for cyber attacks involving declared acts of war, criminality and/or terrorism
  2. the practicalities of extending ARPC’s insurance coverage to include cyber terrorism
  3. evaluating relevant international experience in introducing coverage of cyber terrorism to terrorism insurance schemes
  4. the direct and indirect impacts, in dollar terms, of insured and uninsured losses to commercial property and business interruption from acts of cyber terrorism
  5. estimates for Australian losses and the Australian economic impact
  6. realistic cyber attack scenarios in an Australian context – both current and prospective – including likelihood, direct/indirect impacts and existing insurance coverage and
  7. identification of systemic or contagion risks from cyber risks to the Australian economy.

Findings

The key findings are that cyber terrorism is not covered by commercial property insurance in Australia and the terrorism reinsurance scheme administered by ARPC excludes cover for cyber terrorism.

The scenario analysis conducted by Cambridge demonstrates that the average expected losses from the two modelled scenarios – a Lithium Battery fire scenario and a Building Management System Attack – are consistent with the expected losses from a traditional blast attack in the Sydney CBD and are within the capacity of the scheme. The maximum losses from these cyber attacks are significant and exceed the capacity of the scheme. The maximum losses from the lithium-ion battery scenario is similar to the maximum loss from a sophisticated biochemical attack using weaponised grade materials as shown in Figure: Comparison of Cambridge (in dark orange) and ARPC scheme scenarios.

Comparison of Cambridge (in dark orange) and ARPC scheme scenarios Comparison of Cambridge (in dark orange) and ARPC scheme scenarios

Availability of coverage in Australia

The OECD research found that a cyber insurance market is emerging in Australia to provide cover for first party and third-party liability claims that may arise from malicious and accidental cyber incidents, with cover for property damage extensively sub-limited. The widespread use of the ISR Mark IV wording for property insurance has resulted in broad coverage for property damage resulting from cyber attacks. However, almost universally, these policies have exclusions for war and terrorism. Thus, they exclude cover for physical damage to commercial property from cyber terrorism.

In the event of a Declared Terrorism Incident (DTI) in Australia, the terrorism exclusions in the underlying insurance policy are annulled and insurers would be required to pay claims to the extent the cover is for an eligible insured risk under the ARPC scheme.

As cyber is not an eligible peril under the ARPC scheme, the terrorism exclusion in the underlying policy would not be annulled. The result is that losses from a cyber terrorism incident causing property damage to commercial property would be largely uninsured.

Practicalities of extending ARPC’s insurance coverage to include cyber terrorism

The probability of a cyber terrorism incident causing property damage is currently remote, although the potential for significant losses is possible.

Coverage for physical damage cyber terrorism is unlikely to become available without the involvement of ARPC and reinsurers involved in the study indicated that given the challenges with modelling and underwriting this risk, their preferred method of involvement was assuming part of the aggregate risk through ARPC.

If cyber was to be included in the ARPC scheme, the pricing methodology and coverage would also need to be considered. For cyber attacks, the distinction between malicious, criminal, terrorism and war is blurred and it is very difficult to attribute with certainty the origin of an attack.

International experience

The OECD research found that Germany, Spain and South Africa provide direct insurance coverage without cyber exclusions.

For the reinsurance or co-insurance schemes in Austria, Belgium, France, Netherlands, UK and the USA, cover for cyber terrorism is included to the extent it is covered in the underlying policy.

In the reinsurance schemes in France and the UK, cyber terrorism cover is explicitly included.

In India and Russia, cyber terrorism is explicitly excluded, as is the case in Australia.

Launch event rescheduled

The final research reports comprising an ARPC Management Summary and the OECD and Cambridge reports have been published in a Compendium format titled Insurance risk assessment of cyber terrorism in Australia.

The launch event will take place as a Webinar on Thursday, 3 September 2020. In the interim period, the compendium is available for viewing by digital request form at arpc.gov.au/