Does cyberterrorism constitute a real or virtual threat? asks Christoph Kufner

One thing is certain: for terrorists, the internet is an ideal platform for attacks on a country's critical infrastructure. This includes not only supply lines and communications, but also financial institutions.

Attacks from cyberspace can be carried out anonymously, from anywhere and with negligible financial means, but nonetheless they have the potential to cause devastating infrastructure damage.

It is difficult to pinpoint what types of attack are conceivable and, more importantly, which could actually be carried out. Even IT experts have problems with this. Rumours circulate about terror networks' possible strategies for attacks and the resultant countermeasures taken by those under threat. It is almost impossible to decide which of the scenarios really do pose a threat to countries. Realistically, we must assume that increased networking and the current dependence of the world community on IT systems make them an attractive sabotage target for terrorists.

It is thus extremely important to create adequate risk awareness and to determine and implement security standards commensurate with the risk.

All companies and state authorities must ensure that their risk management processes include adequate security measures. In addition to the risk of personal injury and property damage, that of financial loss should not be ignored. One example is the increasing number of cases of extortion on the internet. However, losses could also be caused by diversion or interruption of payments. In today's world of closely interlinked economic structures, this could have a catastrophic effect on companies, national economies and even the global economy.

NEW SOURCES OF RISK

As the "virtual world" becomes more networked, it opens up new sources of risk. In addition to the growth in networking and consequent dependencies, the quasi-monopoly position held by Microsoft is proving a problem. With a market penetration of approximately 80%-90% in the operating system area, the weaknesses of a system are quite transparent. The cyber terrorists know that if they exploit the bugs of these systems they can globally achieve a maximum spread of, for example, infected and/or manipulated systems, and can therefore increase the degree of destruction to a great extent.

Nor should the issue of internal offenders be ignored. Even if figures published in the media (some reports suggest 80% of all attacks on company IT systems emanate from the inside) are out of date and not all internal hackers are cyberterrorists, internal offenders, particularly those working in systems operation, are best placed for attacks. From a security point of view, they can in some cases constitute a serious threat and should therefore in any event be covered by companies' risk management processes.

So what are the consequences for the insurance sector? The subject of cover for cyberterrorist attacks poses a number of problems for the insurance sector in its role as risk carrier. Irrespective of portfolio structure, product design and terms and conditions, cyberterrorism can constitute a potentially high exposure. In addition to the lack of empirical data and statistical material for the calculation of premiums commensurate with the risk, obtaining reliable information in this area is a problem.

Furthermore, there exists the threat of above average claims payments due to the possibility of multi-line exposure, ie to first- and third-party claims.

In addition to the technological possibilities available, there is no doubt that the potential media effect of spectacular attacks provides motivation for terrorists in this area. In view of the security shortcomings still apparent at those companies and institutions likely to be affected, cyberterrorism poses a genuine threat to insurers and society.

- Christoph Kufner is senior underwriter in the Corporate Underwriting/Global Clients department of Munich Re.