Terrorism coverage can easily be expanded to underwrite physical damage caused by cyber attacks, according to catastrophe risk modelling firm Risk Management Solutions (RMS).
RMS said its models indicated individuals carrying out acts of terror, including in cyberspace, were focused on causing loss of life and injury.
Gordon Woo, catastrophist at RMS, said: “It’s not that easy to find cyber scenarios that involve killing people. That’s why, in my view, the ability to underwrite the risks of physical damage from cyber is easy to underwrite.”
Attacks generating high profile media coverage through injury and loss of life are more attractive to would-be terrorists than disabling national infrastructure and causing economic disruption, the firm said.
The RMS comments follow the move by Pool Re to cover physical damage emanating from cyber terrorism within 12 months.
While the technology available to violent extremists continues to evolve, current capabilities do not make physical damage from a cyber event more likely, thought Woo.
Woo added: “A cyber attack could be used, for example, to disable fire alarms or something like that. But you have to ask the question: what kind of attack would actually kill people as opposed to causing damage?
“You can cause damage, but it’s not so easy to find cyber scenarios that actually involve killing people. That’s why, in my view, it’s not really a scenario.
“This is one of the reasons why you could well underwrite the risk, because it is pretty small.”
However, RMS also underlined that attacks from state-sponsored organisations were still likely and that physical damage could result from these.
Thomas Harvey, cyber risk specialist at RMS, said: "Cyber attacks leading to physical damage are clearly possible as we have seen in attacks such as Stuxnet, and the German steel mill explosion. However these attacks are extremely complex to carry out and are much more likely to come from a state-sponsored threat actor than a terrorist organisation.
"Typically these cyber attacks are focused at taking industries such as utilities, manufacturing and upstream oil off line for state related political motivations, rather than intentionally killing people.
"RMS modelling suggests the vast majority of loss comes from property damage and business interruption rather than death and bodily injury in these cases," Harvey added.
In late 2014 a cyber attack on a German steel mill resulted in significant damage to the facility, but cyber attacks on commercial targets have not so far caused loss of life.