October ordinarily brings the return of crisp air, fall foliage, and Halloween. This year, for the first time, it also brings National Cyber Security Awareness Month. Yet designating a month to increase cybersecurity awareness seems redundant. We are reminded almost daily of the importance of cybersecurity, as media reports of cyber breaches have become commonplace. Of course, the most widely reported cyber incidents have been data privacy breaches that have affected tens of millions of consumers nationwide. These are the sorts of incidents that have spawned a growing market for so-called “cyber policies” (although as we wrote recently, the CEO of one of the largest insurers has acknowledged that cyber insurance capacity remains relatively small).
But a potentially more damaging cyber threat that may cause enormous property and economic losses has been getting much less attention, both in the media and by insurers – the risk of large-scale physical property damage and business interruption losses stemming from a cyber breach. As the Department of Homeland Security aptly notes on its National Cybersecurity Awareness Month web page, “[a]s a nation, we face constant cyber threats against our critical infrastructure and economy.” A hacker who is able to infiltrate a company’s computer systems and reach its operational or plant controls could, for example, reconfigure sensitive manufacturing equipment causing a breakdown in assembly, or even destruction of a plant. A hacker could also reroute incoming or outgoing shipments and cause huge supply chain issues, which could lead to lost sales or spoliation of merchandise or components.
Though very few such incidents have been reported—an article earlier this year identified only two publicly known incidents, including an attack that caused “massive” damage at an “unnamed steel mill in Germany”—the effects could be devastating for a business. And reports suggest that activity leading to such attacks is increasing. A recent report from the Organization of American States shared some eyebrow-raising results from a survey of the heads of security for companies who manage critical infrastructure:
- 53% of respondents noticed an increase in incidents involving their computer system (only 7% reported a decrease);
- 76% agreed that such incidents targeting infrastructure are getting more sophisticated (only 5% disagreed); and
- 54% of respondents reported that in the last year their organization had experienced an attack in which the attacker attempted to manipulate the organization’s equipment through a control system.
As these risks grow, it is important that insurance coverage keeps pace. There are indications, however, that insurers and policyholders may differ in their views of what will and will not be covered when a cyberattack causes physical damage and business interruption. This was perhaps best illustrated by a Lloyd’s report released in July that explored the economic and insurance effects of a hypothetical cyberattack that causes a major East Coast blackout. The report candidly acknowledged that there is “uncertainty and ambiguity” regarding whether certain losses would be covered; that “[p]roperty covers and ‘all risks’ descriptions are commonly silent on whether cyber-related losses would be paid”; and that “[t]his mismatch of expectation and reality could be expected to generate disputes in the event of a large scale cyber loss.” To be sure, insurers have developed a number of exclusions aimed at property and business interruption losses stemming from cyberattacks, such as the Institute Cyber Attack Exclusion Clause CL380 (a domestic form), and Electronic Data Exclusion NMA2914 (a London Market form). However, these forms are not universally added to form property policies, and many larger companies have manuscripted policies.
Moreover, as this is an emerging area of risk, and because the language in property policies can vary widely, the case law is inconsistent regarding critical issues such as whether a cyber breach constitutes physical damage sufficient to trigger business interruption coverage. Some courts have found coverage where a hacking incident leads to loss of use of a system, but others have limited coverage in such circumstances based on the particular policy language involved.
To best prepare for a cyber incident that causes physical damage and business interruption, it is important for policyholders not to assume that their cyber risk policies are the only coverage available. On the other hand, policyholders should not assume that their property policies will necessarily cover damage resulting from a cyber breach. At some point during National Cyber Security Awareness Month, we urge policyholders to review all their property policies closely to assess whether they will have coverage should they face this increasingly likely situation. Policyholders should work closely with their brokers at the time of renewal; those with all-risks policies should resist or seek to remove any exclusions that could be read to bar coverage for damage due to a cyber breach, and those with Named Perils coverage should consider asking their underwriter to specifically include cyber breaches as a Named Peril. You may not like the answer you get, but at least you will have identified the problem.