Threat of cyber terrorism to commercial property
The Australian Reinsurance Pool Corporation has taken a lead on cyber terrorism research – which it sees as a potential threat to the orderly working of commercial real estate markets in the world’s capital cities. Dr Christopher Wallace talks us through the results of some recently-published research results – and its wider implications
By Paul McNamara
The harsh reality is that an act of cyber terrorism that leads to the destruction of, or damage to, commercial real estate could fall outside the scope of traditional insurance cover. Think of an office tower block that burns to the ground because a server room or individual computers are hacked to the point of combustion.
That such a terrorist act could undermine the very foundations of the commercial property sector is more than just an imaginary threat – and so the Australian Reinsurance Pool Corporation (ARPC) has been looking at the practicalities of extending insurance coverage to include cyber terrorism in Australia.
ARPC is Australia’s terrorism risk pool - a corporate commonwealth entity established under the Terrorism Insurance Act 2003 following the terrorist events that occurred in the US on 11 September 2001.
ARPC commissioned the Organisation for Economic Co-operation and Development (OECD) and Cambridge Centre for Risk Studies at the University of Cambridge’s Judge Business School (Cambridge), to undertake some ground breaking research to explore this area in depth.
“Commercial property insurance in Australia does not cover physical property damage caused by cyber terrorism or cyber war,” said ARPC CEO Dr Christopher Wallace. “The ARPC Scheme, Australia’s national terrorism insurance scheme also excludes coverage for physical damage caused by cyber terrorism.”
Simply put, cyber terrorism is not covered by commercial property insurance in Australia, and the terrorism reinsurance scheme administered by ARPC excludes cover for cyber terrorism.
The analysis conducted by Cambridge demonstrated that the maximum losses from two modelled cyber terrorism scenarios could be substantial and would exceed the capacity of the ARPC scheme – which could seriously undermine the investable profile of commercial real estate as an asset class.
While the research was focused on Australia, it seems likely that the insights derived could be usefully applied to other markets in the Asia-Pacific region.
“The lessons learnt in Australia are probably as relevant for the Asia-Pacific region,” said Dr Wallace. “Commercial property insurance generally excludes terrorism and war, and as such, cyber terrorism or acts of war through cyber by nation states would be excluded.
“In the rapidly-developing cyber-insurance market, there is cover available for terrorism, however, the sub limits covering physical property are relatively small and are designed to cover damage to computer hardware, not buildings. There is an insurance gap for cyber terrorism that causes damage to physical property.”
From cyber to physical damage
The research also identified several realistic scenarios whereby a cyber attack could result in physical damage to buildings and other infrastructure.
“This shows that it is possible to damage assets remotely using cyber attacks and there have been past examples of physical damage from cyber attacks,” said Dr Wallace. “Many insurance policies cover physical damage from cyber attack unless other exclusions are applicable to the event such as a terrorism exclusion clause in the general exclusions section of the policy.”
Does Dr Wallace see any avenues for furthering the research – either by going deeper or by broadening the scope?
“Yes,” said Dr Wallace. “On a related matter, ARPC is seeking to clarify the ‘computer crime’ exclusion in the Terrorism Insurance Act 2003 (TI Act). The computer crime exclusion in the TI Act means that the act will not remove the terrorism exclusion clause for cyber terrorism.
“This effectively means insurers are not covering physical property damage and business interruption losses from computer crime due to terrorism,” he said.
Pools for pandemics
There has been a lot of talk around the world in recent months about taking a ‘terrorism risk pool’ approach to pandemic risk – and, indeed, of subsuming pandemic risk under terrorism risk pools. Is this an area that ARPC had been consulted on and feels that there it can contribute to the debate?
“Yes, I recently contributed to an OECD Insurance and Retirement Savings Roundtable webinar on the topic of ‘Designing a pandemic risk insurance programme’,” said Dr Wallace.
“In Australia, we are seeing pandemic risk excluded from insurance policies. It is becoming an excluded peril much like terrorism. In Australia, the TI Act overrides terrorism exclusions in eligible policies in response to a declared terrorist incident. Therefore, it is feasible to have a declared pandemic, and to over-ride pandemic exclusions in eligible policies in the same way that terrorism exclusions are overridden.
It seems likely that a terrorism and pandemic scheme could provide certainty of cover to policyholders and could be beneficial to the insurance industry provided the over-ride is part of a risk transfer.