On a cyber panel at AIR’s Envision conference a few weeks ago, and at the Advisen Cyber Risks Insights conference in London a few weeks earlier, I brought up a new concept we like to call “Silent Silent Cyber.” While AIR has written a blog about Silent Cyber and our forthcoming product can easily help manage your more “traditional” Silent Cyber risk (such as risks to a D&O or E&O book), Silent Silent Cyber is much more of an ethereal, yet potentially catastrophic, threat.
First, a quick definition; in our view, Silent Silent Cyber is the risk to non-cyber policies that can be indirectly exacerbated by a cyber event. In this blog, I’ll give two examples.
Frequent In Focus readers will recall AIR’s first cyber blog—which I wrote around three years ago—about a breach that made weather data from NOAA’s satellites unavailable and could have led to a degradation of weather forecasting model quality. Luckily, this didn’t happen during a major weather event, but imagine if it had. As I wrote a few years ago, “Imagine if there had been a hurricane or other major weather event during the breach. The compromised forecasts and model runs resulting from the unavailability of data could have led to casualties and property damage that could have been prevented with advanced warnings and preparations.” It would be impossible to quantify how much of the damage was due to weather model inadequacy because of the hack compared to what would have happened without the hack.
The second example is much more recent. About two weeks ago, someone hacked into the Dallas tornado sirens and made them all go off in the middle of the night. While sounding the sirens themselves wouldn’t be expected to lead to much loss, imagine if drivers on the road were distracted and involved in auto accidents. What if people had heart attacks from the surprise, or panicked and started looting or other behavior that could lead to losses? Or even more indirectly, imagine if the emergency 911 systems were backlogged with people calling in to report the sirens and real emergency calls couldn’t get through. And next time the sirens sound for real, folks may not pay any heed given that they cried wolf once before. Again, it would be impossible to connect any of these outcomes with certainty to the sirens being sounded, but the sirens would have exacerbated the situation.
It will be very interesting (and perhaps even scary) to see what other cases of Silent Silent Cyber come up over the next months and years. Regardless, cyber risk pervades nearly every insurance policy out there, and understanding and proactively managing your risk is something that can be done today.
See Scott Stransky and Evan Ritt’s webinar: