Traditional cyber insurance has been concerned with unseen intangible attacks that wreak financial havoc from the cloud in the form of data theft, phishing, ransomware, and other digital crimes.
In our increasingly interconnected world, however, businesses need to be prepared for “real world” mayhem from cyberattacks which makes it wise to consider adding bodily injury and property damage to your cyber policy.
“Increasingly, something called cyber-physical attacks are making their way into the conversation – particularly in the critical infrastructure industry,” wrote Elizabeth Blosfield, deputy editor for carrier management at the Insurance Journal.
Internet of Things (IoT) Comes with Cyberattack Vulnerabilities
The Internet of Things (IoT) has opened a world of possibilities with a collective network of connected devices able to communicate with the cloud and between themselves.
From driverless vehicles to smart appliances to healthcare monitors the benefits are promising, but when it comes to connected manufacturing equipment, there are the dangers of cyberattacks which can result in bodily injury and property damage.
“A cyber-physical attack means a bad actor can take over computer systems for things like electrical, water or natural gas infrastructure, among other things, to cause physical damage – sometimes manifesting as bodily harm or property loss,” says Blosfield.
Gartner says that the risks are significant and real with an out-of-this-world 3,900 percent increase in critical infrastructure attacks from just 10 recorded in 2013 to almost 400 in 2020.
“Over time, the technologies that underpin critical infrastructure have become more digitized and connected to enterprise IT systems and sometimes to each other, creating cyber-physical systems (CPS),” says Gartner VP Analyst Katell Thielemann. “CPS are composed of both legacy infrastructure deployed years ago without built-in security and new assets, which are also deployed full of vulnerabilities.”
U.S. Critical Infrastructure at Risk of Cyberattacks
Gartner says that the crux of the problem is that traditional network-centric, point solution security tools are no longer sufficient to combat the speed and complexity of today’s cyberattacks. This is particularly the case as operational technology (OT), which connects, monitors, and secures industrial operations (machines), continues to converge with the technology backbone that processes the organization’s information (information technology).
Critical infrastructure systems in the U.S. that are vulnerable to cyberattacks include:
- Commercial facilities
- Critical manufacturing
- Defense industrial base
- Emergency services
- Financial services
- Food and Agriculture
- Government facilities
- Healthcare and public health
- Information technology
- Nuclear reactors, materials, and waste
- Transportation systems
- Water and wastewater systems
- By 2024, a cyberattack will damage critical infrastructure that a member of the G20 will reciprocate with a declared physical attack.
- By 2024, 80 percent of critical infrastructure organizations will abandon their existing siloed security solutions providers by adopting hyper-converged solutions to bridge cyber-physical and IT risks.
- Through 2026, less than 30 percent of U.S. critical infrastructure owners and operators will meet newly mandated government security requirements for cyber-physical systems.
Cyber-Physical Systems Attacks Already Causing Billions in Damages
The Science Times reported in 2021 that by this year, cyber-physical systems attacks will cost the world’s economy some $50 billion annually.
“The consequences of a globally interconnected digital world coupled with sophisticated cybercrime are that cyber-attacks have now transcended into the real world,” said the article.
The Science Times cited the following real-world examples of cyberattacks on CPS:
- The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has covered several CPS incidents, one of them being disruptions in an industrial plant's instrument system.
- A cyber-attack on a major U.S. oil and gas pipeline was noted as one of the costliest attacks on a national economy.
- The cyber-attack on the San Francisco MUNI/SFMTA (Municipal Transportation Agency).
- An attack on a German steel mill disrupted control systems and prompted the partial shutdown of the plant.
- A Russian-based cyber-attack remotely disabled electrical power in a considerable portion of the nation of Ukraine.
- A cyber-attack on hospital HVAC systems that were infected with malware and a remote-access program jeopardized patient safety.
- An Iranian cyber-attack on the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam in Rye, New York almost gave the cybercriminal complete control of the operation of the dam.
- The famous Stuxnet worm which disrupted uranium centrifuges in an Iranian nuclear plant.
“The Nation’s health, safety, and economy depend on the functioning of complex and interconnected infrastructure systems that provide critical services to communities across the nation,” said a Resilient Investment Planning and Development Working Group white paper published in March 2023. “The evolution and escalation of threats and stressors to critical infrastructure, combined with their increased reliance on cyber, have led to an exponential increase in risks to our national security.”
Traditional Cyber Insurance May Leave Gaps in Coverage
Businesses with cyber insurance may find coverage gaps between those specific policies and their standard commercial liability and property insurance.
While traditional commercial liability and property insurance policies may cover certain aspects of cyber risks, they typically do not address bodily injury or property damage resulting from cyber-attacks.
On the other hand, typical cyber insurance policies cover a range of expenses associated with cyber incidents.
These may include costs related to:
- Breach response,
- Forensic investigations
- Legal assistance
- Public relations
- Business interruption
Additionally, cyber policies often provide coverage for third-party claims resulting from data breaches, privacy violations, or intellectual property infringement.
However, bodily injury and property damage resulting from cyber-attacks are generally excluded from traditional cyber insurance policies.
This coverage gap underscores the importance of seeking specific bodily injury and damage cover within cyber insurance to adequately protect against potential liabilities arising from cyber incidents.
The Insurance Journal article cited the example of a suspicious fire started by bad actors taking over infrastructure controls.
“Now, I’m quite certain that if this happened a hundred times, you wouldn’t be able to automatically say this is a cyber attack. You would really need to examine the machinery, the computer control systems, to really find out whether or not it was the fault of a component of the industrial complex itself or whether it was the act of a third party,” Marc Voses, partner at Clyde & Co. told the publication. “And guess what? Sometimes, there might not be any traces left over to identify that this was, in fact, a cyber attack.”
He continued: “So then the question is going to be, well, is there coverage for the attack? Is there coverage for the fire? Does the policy exclude coverage for both? And these are some really tough questions that need to be asked in evaluating the claim. You might have a property loss, but at the inception, it might look like a fire. When you look at it deeper, it was caused by a threat actor that actually caused the fire, and there might be an exclusion within the policy excluding the acts of a third party affecting the computer system which results in property damage.”
Not All Cyber Insurance Policies are Created Equally
Dataprise, which offers managed cybersecurity, says that while cyber insurance is a must for businesses, not all policies are created equally.
“This is, in part, because it’s difficult to underwrite risk accurately. From the lack of data to the constantly evolving tactics of hackers, there are a lot of moving pieces,” explains Dataprise.
In addition to not covering bodily injury and property damage, some common exclusions for cyber insurance policies, says Dataprise, include:
- Third-party providers: Suppliers and vendors of any kind can create huge gaps for their clients. If there’s a data breach due to their protocols, any resulting ramifications to your business are unlikely to be covered by your insurance.
- Lost portable devices: Insurance companies will not take responsibility for lost or stolen portable electronics. (Some companies will modify this policy if these devices are encrypted.)
- War, invasion, or terrorism: Any damage from government-sponsored groups or ideological origins may be excluded from the policy.
- Security maintenance failures: The company must meet and maintain minimum security standards to have an insurance claim approved.
It is imperative that businesses confer with their insurance specialist to determine if their comprehensive insurance plan covers all aspects of cyberattacks, including any resulting bodily injury and property damage.
“Despite the introduction of specific cyber policies to cover the risk, many insureds still expect to be covered under their property and liability policies — and yet, they are not,” says Risk & Insurance. “This phenomenon is known as silent cyber or non-affirmative cyber: Where potential cyber-related events or losses are not expressly covered or excluded within traditional policies.”
The publication says that carriers may end up having to pay arising claims that were both unexpected and not priced properly. And because of the confusion around coverage, policyholders also run the risk of having unexpected coverage gaps.
The key is achieving affirmative cyber coverage for bodily injury and property damage to make sure that your business and its resources are properly protected.
“From a broker standpoint, failure to have clarity on cyber risk within policies can cause coverage disparity over what events are and aren’t covered,” Kelly Castriotta, managing director and global cyber underwriting executive at Markel, told Risk & Insurance. “For insurers, it can cause accumulated losses not necessarily priced for, and for the policyholder, they may not have the right coverage to offset the operational disruption as well as the physical damages and losses caused by a cyber event.”
Contact Dean & Draper today for a free analysis of your company’s cyber and other commercial insurance policies and the protection they provide in the event of cyberattacks, even those that result in bodily injury and property damage.
The recommendation(s), advice and contents of this material are provided for informational purposes only and do not purport to address every possible legal obligation, hazard, code violation, loss potential or exception to good practice. Dean & Draper Insurance Agency specifically disclaims any warranty or representation that acceptance of any recommendations or advice contained herein will make any premises, property or operation safe or in compliance with any law or regulation. Under no circumstances should this material or your acceptance of any recommendations or advice contained herein be construed as establishing the existence or availability of any insurance coverage with Dean & Draper Insurance Agency. By providing this information to you, Dean & Draper Insurance Agency does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.