Drones go far beyond standalone physical devices: they can also be software-driven tools that can be autonomised via artificial intelligence (“AI”) and integrated seamlessly within networks, serving as dynamic endpoints creating a wide range of real-world claims. We have seen the devastating impact of drones in warfare, and the wider implications across the agricultural and industrial sectors. Given their technological capabilities, drones must be recognised as susceptible to compromise and malicious exploitation. Insurers may wish to take proactive steps to address the emerging risks associated with drones before it’s too late and the exposure worsens.
A new frontier in insurance risk, liability and claims?
As drones become more integrated into various sectors, they also present significant challenges for the insurance market – particularly with the potential misuse of drones by threat actors. The rise of drone autonomy and proliferation, whilst transformative for industries like logistics, agriculture and infrastructure, also opens new avenues for malicious actors to exploit these technologies for nefarious purposes. These threats, from physical attacks and espionage to cybercrime, will undoubtedly have profound implications for the insurance industry.
The technological development of drones is advancing at an unprecedented rate, largely fuelled by their increasing uptake in modern warfare, particularly on the battlefields of Europe. As drones become more sophisticated, their applications are extending far beyond military contexts, mirroring the historical trajectory of cyber technology. Just as cyber threats have evolved from military applications, drones are following a similar path. What once were highly specialised tools are now becoming accessible to a broader range of non-state actors. This rapid proliferation of drone technology poses significant challenges, not just for national security, but also an opportunity for the insurance sector, which needs to identify, respond to and mitigate, the risk for industry.
The emerging threats
The proliferation and integration of drone technology is unprecedented. The areas where these threats are likely to materialise fall into four main categories:
1. Physical attacks (weaponisation)
Drones can be weaponised to carry explosives, deliver dangerous substances, or launch direct attacks on infrastructure and populated areas. Drones equipped with explosives or chemical agents could cause significant damage, providing an entirely new and unexploited attack vector.
2. Surveillance and espionage:
Autonomous drones can be used for surveillance purposes to gather intelligence on individuals, companies and government facilities. Drones equipped with cameras, infrared sensors, audio capability or facial recognition software, can collect sensitive data without being detected. This poses risks for corporate espionage, privacy violations and compromised national security.
3. Cyberattacks:
Drones can serve as entry points for cyberattacks by exploiting vulnerabilities in their control systems. Hackers could seize control of drones to manipulate them for surveillance, delivery of malicious payloads, or disruptions to operations. For instance, drones may be used to deliver malware into secure facilities, bypassing traditional security measures. As commercial drones are increasingly adopted, the associated risks of network compromise increases.
4. Disruption of operations/events:
Drones can be used to interfere with operations in critical infrastructure sectors, such as energy plants and transportation hubs. They also serve as a propaganda weapon, easily able to disrupt events. A well-timed drone disruption can halt supply chains, delay air traffic, or cause severe damage to operations, leading to significant financial losses. An example of this was seen in 2018, when hundreds of flights were cancelled at Gatwick Airport owing to the mere presence of an unauthorised drone in a controlled airspace.
Challenges in countering the threat
The rapid pace of technological development means that countermeasures are lagging far behind, leaving security forces and businesses scrambling to develop effective defences against a constantly evolving threat. Combined with the ease of access to drone technology for non-state actors, these factors make drones a particularly potent and challenging threat to counter. Drone countering technology falls into two categories: hard and soft techniques. A hard countermeasure involves a physical action or direct intervention against the drone to disable or destroy it. Such measures are not currently applicable to a commercial environment. As such, the main focus is on non-physical soft mechanisms which use electronic or cyber techniques to interfere with the drone’s operation via jamming, spoofing and hacking. There is a myriad of small, innovative companies providing advanced techniques and technologies to deliver these capabilities to commercial organisations.
Much like cybersecurity, the domain of soft countermeasures benefits from a service-oriented approach, emphasising real-time adaptability, ongoing updates and intelligence sharing. Companies in this space are increasingly aligning themselves with the as-a-service model, akin to cybersecurity vendors offering managed services and threat intelligence.
Implications for insurance claims
The use of drones by threat actors introduces new and complex scenarios for insurance claims. Insurers will need to adapt to these emerging risks by considering various factors that have previously not been part of their risk models. The following areas are likely to be impacted:
Cyber breach implications
Drones are vulnerable to hacking and manipulation, with malicious actors increasingly gaining the ability to hijack or spoof drones in flight. A hijacked drone, for instance, could crash into a building, cause a fire, or disrupt critical infrastructure. In these cases, the claims process will not only need to address physical damage but also the cyber breach itself. Investigating how the drone was compromised and holding the responsible parties accountable will become an integral part of claims handling.
Insurers will need to evaluate whether the drone manufacturer or operator failed to implement sufficient cybersecurity measures. The investigation will involve not just technical experts in drone systems, but also cybersecurity professionals, to understand the scope of the attack and its financial impact.
Liability attribution
One of the most complex aspects of claims involving drones will be attributing liability. Determining who is responsible when a drone is used for a criminal purpose is not straightforward. If a drone is hijacked and used in a terrorist attack, the operator, manufacturer, or even the software developer, may share some level of liability. Additionally, malicious actors who take control of drones and cause damage may be difficult to trace or prosecute, further complicating the claims process. For insurers, this will require a bespoke approach to claims handling. There is also a clear need to collaborate with law enforcement and digital forensics experts to track the origin of the attack and determine fault. In some cases, the claims process may become part of a larger legal investigation, adding a layer of complexity to the resolution of the claim. Again, the similarity between drone and cyber claims are clear, particularly when considering similarities of a ransomware attack.
Property damage and infrastructure disruption
Drones used by malicious actors can cause extensive property damage, either directly or indirectly. A hijacked drone crashing into a building or a piece of infrastructure could result in millions of pounds in damage. Furthermore, drones could be used to disrupt critical services such as electricity, communications, or transportation, leading to business interruption claims. These types of claims are far more complex than traditional property damage claims, as they involve not just the physical destruction of assets but the ripple effects on operations, revenue and reputation. Insurers will need to reassess how they calculate risks and premiums for industries that rely heavily on infrastructure. This may involve creating new categories of coverage specifically for drone-related risks, including coverage for lost business due to infrastructure disruption, or data loss caused by drone surveillance. Large scale events are particularly vulnerable to disruption and the risk is currently not catered for within the insurance market.
How insurers may evolve their response to the growing threat
The claims and response processes in the cyber insurance market offer a valuable blueprint for addressing the rising risks posed by drones. Much like the surge in cyber adoption in the early 2000s, the uptake of drones will likely follow the same trajectory. Similarly, the evolution of vendor service responses will likely tread the same pathway, with huge opportunities in pre-loss risk mitigation. Early mover adoption by insurers provides an opportunity for those seeking to secure a commanding position in this area. Insurers can proactively adapt by partnering with drone and counter-drone experts to provide specialised support in the event of an attack, particularly in the deployment of soft countermeasures. Integrating these capabilities into risk management frameworks would enable insurers to better prevent or mitigate damage caused by malicious drone activity, protecting their clients and financial interests.
To be prepared for the inevitable, given ever-increasing popularisation of drones commercially, the insurance market must develop a solution now.
For more information, contact David Stirling, Incident Response & Cyber / Technology Operations Lead at Crawford & Company, at david.stirling@crawco.co.uk.
