Cyber attack

Event: Stuxnet attack on Bushehr Nuclear Power Plant, 2010
Location: Iran

Economic cost: No figures are available, but the attack caused physical damage as well as consequential and business interruption losses. As the plant cost almost $11bn to build, physical losses alone could amount to billions of dollars.

Description: A virus infected computers via USB keys, and once in Bushehr’s internal network, it sought out industrial control systems and was then able to change instructions and affect the way machinery operated. Stuxnet malware attacks industrial control systems that are integral to the energy sector, particularly in the Middle East, where infection rates run at 56% in the United Arab Emirates and 23% in Saudi Arabia. US oil giant Chevron reported a Stuxnet infection in 2014. Physical damage from cyber attacks is a worldwide concern, and in 2014 Germany’s Federal Office for Information Security reported that a cyber event had led to a fire in an unnamed steel works after its furnaces were unable to shut down.

Damage: Stuxnet destroyed almost 20% of Iran’s uranium enrichment centrifuge capability, which led to the suspension of its enrichment programme.

Insight: In 2014, the US cyber insurance market was worth $2bn. Historically, media, financial and retail institutions have been at the forefront of cyber exposure given the volume and sensitivity of data they hold. However, the advent of physical damage created by compromised industrial control systems makes cyber a priority for manufacturing, industrial and energy sector organisations. Not all markets cover physical damage from cyber attacks, and many property covers exclude damage from hacking.

Insurance solutions: The Lloyd's market offers cover in relation to Cyber attack. Examples of this include but are not limited to: cyber attack/cyber terrorism cover, which includes indemnification for third-party physical damage and business interruption loss, in addition to first- and third-party cyber insurance (including cover for business interruption, crisis management, IT forensics, cyber extortion, digital asset restoration and privacy liability). Directors' and officers' (D&O) insurance products offer indemnification in the event of lawsuits brought about following a data breach.

Image: Bushehr Nuclear Power Plant, Iran (Getty Images)

Sources: Betterley Risk Consultants; Carnegie Endowment for International Peace; Willis Re

Given the worldwide nature of our cyber exposure, we take into account factors such as sector of the insured, systems they use that may be a target, vendors they use that may pose an aggregation risk and the potential of virus or malware to affect multiple companies.

Geoff White, Underwriting Manager,
Cyber, Technology and Media at Barbican



Our cookies are there to make it easier for you to use our website. They allow us to recognise our registered users, count visitor numbers and find out how they navigate the site; helping us make changes so you can find what you’re looking for faster. Find out more