Expert Risk Articles

How cyber risk can impact megacities

The number of megacities is increasing, with the growth of urban areas exceeding 10 million inhabitants a particular phenomenon across Asia. Such highly interconnected, dynamic and vibrant centers are predicted to contribute higher income and living standards for their citizens over time.

However, they also bring a number of new risk challenges which society will need to address, share knowledge around and find solutions for, one of which is the threat posed by a major cyber-incident.

Megacities - Cyber Risks

In 2016 more than half of the world’s population live in cities. By 2030 it is expected to be two-thirds, many of whom will live in megacities – urban areas exceeding 10 million inhabitants.

Megacities accumulate impressive physical, human and intellectual resources, increasing economies of scale and lowering production costs. A McKinsey study on the megacity’s attractiveness for business predicted that in future the economic compound annual growth rate (CAGR) of the top 20 megacities will be 7.6%. As such these cities would outpace the rest of the global economy by almost twice and account for $5.8trn of global gross domestic product by 2025[i]

Growth in megacities has been a remarkable recent phenomenon. In 1950 there was just two  - Tokyo and New York. By 2000, this had increased to 18. Today, there are 29 megacities with the majority (16) located in Asia. Historically, western nations have led global urbanization. In the future Asia - and its megacities -  are predicted to lead this development. Within the current decade, 60% of the growth in the world’s urban population will be generated in Asia - more than 400 million people, according to UN Habitat.[ii]

Megacities matter today and will do so even more tomorrow – the number is expected to grow to over 40 by 2030. Such megalopolises show where urban development is heading and how transport, energy, culture and economies can be organized but such extreme concentrations of people also pose big risk challenges, such as increasing exposure to natural catastrophes, pandemic outbreaks and terrorist attacks. In addition, there is increasing concern about the potential impact of a major cyber-attack or incident, as is discussed in a new AGCS report: Megacities - Pushing the Boundaries of our Industry.

For a city, the impact of a cyber-attack is correlated not only to its size but also to its degree of decentralization and “smartness”. A “smart” city uses IT to improve the livelihood and security of its citizens. Megacities differ from smaller cities, not only in their enormous size and high growth rates, but also in both the depth and the range of their resources and the complexity – i.e. the smartness – of assuring the reliable functioning of all the services on which life depends. In short, for megacities, generally all three correlation parameters, i.e. size, decentralization and IT-based smartness, are – with high likelihood – aggregated and can create an explosive mixture.

The smartness of a megacity shows in many ways. Newer smart developments are, for example, waste management, which operates on an as-needs-basis using containers equipped with volume signaling technology; street lights, which are controlled by sensors to adjust to weather conditions, or the smart grid, which manages energy production in real-time under the aspect of supply demand and cost-efficiency.

The scenarios deriving from a potential attack on a smart city are multifold and of differing impact. While dysfunctional waste management can create a difficult situation, a  breakdown of a city’s CCTV system due to a cyber incident could severely cripple its strategy for counterterrorism, for example. Generally, a power-outage following an attack on the smart grid is described as the worst case scenario. For example, according to  a recent simulation by Lloyd’s and the University of Cambridge, the economic impact of a severe, yet plausible cyber-attack against the US power-grid could total in excess of $240bn, possibly even rising to more than $1trn[iii].

Areas of vulnerability and evolving risks

Asia’s rich diversity and varying economic development stages are reflected in its megacities in terms of maturity and also IT-based smartness. Tokyo, for example, as Asia’s most mature and oldest megacity, relies heavily on IT-based solutions for its inhabitants - sensors, cameras and smart meters steer traffic, maintain security and manage electricity consumption. Low- or medium- mature megacities in Asia utilize IT to a lesser extent and are subsequently less exposed to cyber-threats. However, their vulnerability will increase, starting with the area of public transport. As an example, newly commissioned Mass Rapid Transport (MRT) projects will make Asian capitals like Jakarta, Manila, and Bangkok increasingly smart. Compared with rural areas and smaller cities, megacities will always be the forerunner for applying IT with the goal to increase efficiency and improve the livelihood of their citizens.

The threat of cyber-attacks and the mission to protect IT-dependent megacities, their citizens and business against them, is one of the greatest conundrums to be faced by the insurance industry and authorities alike. And with the spread of the “Internet of Things” and global interconnectivity, the frequency and severity of cyber-attacks have increased and will continue to do so.

Also, the nature, quality and complexity of potential cyber-claims have been evolving. Initially, cyber risk manifested itself in insurers’ books as claims for the loss or theft of personal data. Today, many cyber-attacks are executed with the goal to cause damage in the form of property damage (PD), business interruption (BI) or contingent business interruption (CBI). This adds further to the dilemma of cyber underwriters. How can the insurance industry cope with this situation and move forward in a meaningful way? Clearly, there are positive developments which need to be annotated.

Scenario planning and coverage developments

Firstly, the industry is employing experts for scenario planning and modeling. As a result, the broad impact of a potential cyber-attack has become more visible, and to some extent, more quantifiable. For example, the blackout simulation mentioned above documents the potential for first party claims (PD, BI and CBI), which could be lodged by utility companies, their corporate customers and their private clients. Moreover, the study outlines how third party claims will affect the liability, error and omission (E&O) and directors and officers (D&O) insurance programs of utility companies and their IT-suppliers.

Secondly, in addition to increased research and visibility, insurers are also in the process of expanding coverage, reducing ambiguity and building up risk management capabilities. For example, AGCS, has heavily invested in its cyber-related risk engineering services. Other insurers partner with third-party vendors from the IT consulting sector to support clients.

Regarding coverage, leading insurers have gone beyond the traditional US-form, which had been geared towards third party exposure only, and have created a complete new section in the policy wording to deal with first party claims. Simultaneously, the industry has reduced ambiguity by dropping terrorism exclusions from cyber wordings.

Importance of multi-level dialogue

However, the technical advancement of cyber- attackers, their capability to specifically target critical infrastructure and the relatively small available loss experience to date remain major concerns for insurers. Considering the size of the cyber-threat in the light of rapidly growing-megacities, the necessity becomes evident to create a new form of multi-level dialogue and cooperation, which transcends the traditional circle of insurance practitioners.

Regular expert dialogue sessions, in which authorities exchange details about the latest cyber risk trends on a confidential basis with the key staff, including chief security officers, of insurers, brokers and other leading companies operating in the megacity’s territory are needed. The insurance industry could lead this initiative in partnership with the world’s megacities. Together, they could bring those companies, which are most knowledgeable about, or susceptible to, cyber-attacks, such as telecommunications and utilities companies, for example, to the table in order to build-up the necessary experience pool and establish a “big-data approach” to cyber-risk. In the long term, this knowledge exchange will be crucial in enabling adequate pricing and developing best practices in cyber underwriting and risk management.

A similar approach would also be helpful for dealing with the threat posed by natural catastrophes, pandemics and terrorism – both across the Asia region and elsewhere. In recent years, a number of the world’s largest insurance, reinsurance and broking companies have established their own science, analytics and innovation departments or partnered with educational institutions to focus on emerging risks and the use of data to develop insurance solutions. Just as megacities will require their citizens to co-exist with greater reliance upon each other in a diverse, ever-changing environment, so must the insurance industry begin to pool its resources and share with other stakeholders to develop solutions for the future.

This article was originally published in Insurance Day.

[i] McKinsey Global Institute, 2012 P.5
UN Habitat, 2010 P.6
[iii] Lloyd’s Emerging Risk Report 2015: Business Blackout