Recent incidents have shown how strategic input can elevate a relatively basic attack into something more sophisticated and impactful. And with reports of more sophisticated delivery networks and deployments of IEDs, as well as the use of encrypted communication methods, the vectors for attack continue to evolve. This was seemingly borne out by a plot in Australia last year that saw two men from Sydney attempt to place an explosive device supplied by IS on a passenger plane. Officials described the plot as being one of the most sophisticated ever attempted on Australian soil, with parts of the explosive transported by international air cargo from Turkey through IS operatives in Syria to individuals in Australia. The incident once again emphasised terrorists’ predilection for targeting aviation assets, and how external support can elevate their capabilities.
CBRN attacks are frequently discussed in catastrophic terms, but the spectrum of possible attack types is wide and the likelihood and potential impacts are equally so. Although high-impact, low-probability CBRN events are rightly the focus of risk carriers’ attentions given their potential to distress the (re)insurance market, less sophisticated CBRN attack types should also be given consideration. Acid, for example, is frequently used for malicious, criminal acts, whilst attacks using chlorine or other moderately toxic substances are achievable by self-inspired amateurs. In fact, low-impact attacks have been attempted (and interdicted) in the West, including in the United Kingdom as recently as 2015. And the use of a military-grade nerve agent in Salisbury in March 2018 was significant because it broadened the perception of what scenarios are credible, emphasised the insurance gap from malicious ‘grey’ state acts and demonstrated the significant economic impacts associated with the use of highly persistent area-denial weapons.
Drones have raised concerns as a novel method of attack, be it as a carrier for explosive devices, CBRN agents or even disruption-causing hoaxes. The landing of a small radioactive source on the Japanese prime minister’s office in 2015 exemplified this. Warfare is frequently a stimulus for innovation and the conflict in Syria and Iraq has seen the evolving use of drones by a range of terrorist groups. Tactics for their use have been tested and refined and could migrate to non-conflict zones. The technology is also rapidly evolving, meaning sophisticated drones are reaching the open market at increasingly affordable prices. Coordinated attacks that deploy multiple drones have therefore become possible.
Cyber risks have grown considerably in recent years, reflecting the frequency, scale and sophistication of attacks, as well as increased dependence on technology in both the business and personal spheres. Today’s threat matrix is multi-dimensional, with the impacts from attacks taking many different forms, including loss of data and software, theft of intellectual property, property damage, business interruption and reputational damage, to name only a few. And the risks look set to escalate further due to technological advancements, including the Internet of Things (IoT), the expanding use of cloud computing, smart grids, embedded medical devices and the rise of intelligent machines. This raises the prospect of terrorist organisations targeting corporations by hacking into their networked technology systems in order to facilitate physical attacks. Or, equally as troubling, non-state actors could acquire capabilities that enable them to carry out cyber attacks that cause physical damage or loss of life. Although terrorist groups are currently unlikely to have the expertise needed to mount a destructive cyber attack, certain movements are thought to be seeking to acquire capabilities to launch attacks with tools that can now be purchased or hired on the dark web. This raises serious challenges to risk carriers. At present, exclusions in both terrorism and cyber markets are muddying the waters and a more integrated approach is needed. Malicious cyber attacks by quasi state actors or proxies are a credible concern and conventional war exclusions may unwittingly preclude coverage.
Download the full report