Skip to main content

Another Cyber-Risk: Hacks That Cause Property Damage and Interrupt Business Processes

Philip R. Stein

In recent years, there has been no shortage of news about large-scale data privacy breaches; incidents that have affected tens of millions of consumers nationwide. Those incidents have spurred a growing market for so-called “cyber-policies.”  However, not nearly as much attention has been given by insurers or the media to the serious risk of large-scale physical property damage and business interruption losses stemming from a cyber-breach. This relatively sparse amount of attention persists even though the U.S. Department of Homeland Security has warned that, “[a]s a nation, we face constant cyber-threats against our critical infrastructure and economy.”

How could a cyber-incident cause property damage or significant interruption of business activity?  Consider that a hacker who gains access to a company’s computer systems and penetrates its operational or plant controls could cause breakdowns in company processes, or even outright destruction of certain physical facilities.  A hacker could also reroute shipments, interrupt supply chains and wreak other types of havoc with products, property and procedures.

In a recent survey, 54 percent of business respondents reported that in the last year their organization had experienced an attack in which the attacker attempted to manipulate the organization’s equipment through a control system. The risks to particular segments of the marketplace, such as homebuilders and some of the contractors with whom they work, are readily apparent.

As these risks mount, insurance coverage will need to keep pace.  Even when “insurance for property damage caused by a cyberattack” becomes more widely available, it is almost a certainty that insurers and policyholders will have substantially different views of what should and should not be covered when a cyberattack causes physical damage and business interruption. Insurers have already begun to develop and publish a number of exclusions aimed at property and business interruption losses stemming from cyberattacks, such as the Institute Cyber Attack Exclusion Clause CL380 (a domestic form) and Electronic Data Exclusion NMA2914 (a London Market form). However, these forms are not universally added to form property policies and some larger companies have custom-designed policies that do not include those forms.

Policyholders must not simply assume that their cyber-risk policies are the only coverage available to them. By the same token, they also should not assume that their property policies will cover damage resulting from a cyber-breach. Policyholders should work closely with counsel and with their brokers in advance of policy renewals to assess their levels of coverage, and to strategize about the terms and provisions that they need to negotiate into (or out of) their policies.

Speaking Engagement March 4, 2024
Ryan J. Coyle speaks on the panel Stiff Winds, New Currents and Rough Seas: Navigating the Private Client World in Turbulent Times at the 29th Annual International Private Client Tax Conference. The panel discusses recent changes and salient topics in tax law in different jurisdictions, the use of a...
Publication November 30, 2023
Over the past decade, companies have increasingly turned to the collection of consumer personal data to help them better understand and adapt to the habits, preferences, and needs of consumers, engage in targeted marketing, and gain insight into the broader marketplace—that is, to better compe...
Speaking Engagement September 29, 2023
Melissa Pallett-Vasquez speaks on the panel Press Play to Continue: Navigating Legal Ethics in a Digital World at the ACC South Florida 13th Annual CLE Conference. The session focuses on the unique ethical issues brought on by technological changes in the legal field, particularly the increasing pre...