Traditional cyber insurance has been concerned with unseen intangible attacks that wreak financial havoc from the cloud in the form of data theft, phishing, ransomware, and other digital crimes.
In our increasingly interconnected world, however, businesses need to be prepared for “real world” mayhem from cyberattacks which makes it wise to consider adding bodily injury and property damage to your cyber policy.
“Increasingly, something called cyber-physical attacks are making their way into the conversation – particularly in the critical infrastructure industry,” wrote Elizabeth Blosfield, deputy editor for carrier management at the Insurance Journal.
The Internet of Things (IoT) has opened a world of possibilities with a collective network of connected devices able to communicate with the cloud and between themselves.
From driverless vehicles to smart appliances to healthcare monitors the benefits are promising, but when it comes to connected manufacturing equipment, there are the dangers of cyberattacks which can result in bodily injury and property damage.
“A cyber-physical attack means a bad actor can take over computer systems for things like electrical, water or natural gas infrastructure, among other things, to cause physical damage – sometimes manifesting as bodily harm or property loss,” says Blosfield.
Gartner says that the risks are significant and real with an out-of-this-world 3,900 percent increase in critical infrastructure attacks from just 10 recorded in 2013 to almost 400 in 2020.
“Over time, the technologies that underpin critical infrastructure have become more digitized and connected to enterprise IT systems and sometimes to each other, creating cyber-physical systems (CPS),” says Gartner VP Analyst Katell Thielemann. “CPS are composed of both legacy infrastructure deployed years ago without built-in security and new assets, which are also deployed full of vulnerabilities.”
Gartner says that the crux of the problem is that traditional network-centric, point solution security tools are no longer sufficient to combat the speed and complexity of today’s cyberattacks. This is particularly the case as operational technology (OT), which connects, monitors, and secures industrial operations (machines), continues to converge with the technology backbone that processes the organization’s information (information technology).
Critical infrastructure systems in the U.S. that are vulnerable to cyberattacks include:
Gartner predicts the following:
The Science Times reported in 2021 that by this year, cyber-physical systems attacks will cost the world’s economy some $50 billion annually.
“The consequences of a globally interconnected digital world coupled with sophisticated cybercrime are that cyber-attacks have now transcended into the real world,” said the article.
The Science Times cited the following real-world examples of cyberattacks on CPS:
“The Nation’s health, safety, and economy depend on the functioning of complex and interconnected infrastructure systems that provide critical services to communities across the nation,” said a Resilient Investment Planning and Development Working Group white paper published in March 2023. “The evolution and escalation of threats and stressors to critical infrastructure, combined with their increased reliance on cyber, have led to an exponential increase in risks to our national security.”
Businesses with cyber insurance may find coverage gaps between those specific policies and their standard commercial liability and property insurance.
While traditional commercial liability and property insurance policies may cover certain aspects of cyber risks, they typically do not address bodily injury or property damage resulting from cyber-attacks.
On the other hand, typical cyber insurance policies cover a range of expenses associated with cyber incidents.
These may include costs related to:
Additionally, cyber policies often provide coverage for third-party claims resulting from data breaches, privacy violations, or intellectual property infringement.
However, bodily injury and property damage resulting from cyber-attacks are generally excluded from traditional cyber insurance policies.
This coverage gap underscores the importance of seeking specific bodily injury and damage cover within cyber insurance to adequately protect against potential liabilities arising from cyber incidents.
The Insurance Journal article cited the example of a suspicious fire started by bad actors taking over infrastructure controls.
“Now, I’m quite certain that if this happened a hundred times, you wouldn’t be able to automatically say this is a cyber attack. You would really need to examine the machinery, the computer control systems, to really find out whether or not it was the fault of a component of the industrial complex itself or whether it was the act of a third party,” Marc Voses, partner at Clyde & Co. told the publication. “And guess what? Sometimes, there might not be any traces left over to identify that this was, in fact, a cyber attack.”
He continued: “So then the question is going to be, well, is there coverage for the attack? Is there coverage for the fire? Does the policy exclude coverage for both? And these are some really tough questions that need to be asked in evaluating the claim. You might have a property loss, but at the inception, it might look like a fire. When you look at it deeper, it was caused by a threat actor that actually caused the fire, and there might be an exclusion within the policy excluding the acts of a third party affecting the computer system which results in property damage.”
Dataprise, which offers managed cybersecurity, says that while cyber insurance is a must for businesses, not all policies are created equally.
“This is, in part, because it’s difficult to underwrite risk accurately. From the lack of data to the constantly evolving tactics of hackers, there are a lot of moving pieces,” explains Dataprise.
In addition to not covering bodily injury and property damage, some common exclusions for cyber insurance policies, says Dataprise, include:
It is imperative that businesses confer with their insurance specialist to determine if their comprehensive insurance plan covers all aspects of cyberattacks, including any resulting bodily injury and property damage.
“Despite the introduction of specific cyber policies to cover the risk, many insureds still expect to be covered under their property and liability policies — and yet, they are not,” says Risk & Insurance. “This phenomenon is known as silent cyber or non-affirmative cyber: Where potential cyber-related events or losses are not expressly covered or excluded within traditional policies.”
The publication says that carriers may end up having to pay arising claims that were both unexpected and not priced properly. And because of the confusion around coverage, policyholders also run the risk of having unexpected coverage gaps.
The key is achieving affirmative cyber coverage for bodily injury and property damage to make sure that your business and its resources are properly protected.
“From a broker standpoint, failure to have clarity on cyber risk within policies can cause coverage disparity over what events are and aren’t covered,” Kelly Castriotta, managing director and global cyber underwriting executive at Markel, told Risk & Insurance. “For insurers, it can cause accumulated losses not necessarily priced for, and for the policyholder, they may not have the right coverage to offset the operational disruption as well as the physical damages and losses caused by a cyber event.”
Contact Dean & Draper today for a free analysis of your company’s cyber and other commercial insurance policies and the protection they provide in the event of cyberattacks, even those that result in bodily injury and property damage.