In recent years, there has been no shortage of news about large-scale data privacy breaches; incidents that have affected tens of millions of consumers nationwide. Those incidents have spurred a growing market for so-called “cyber-policies.” However, not nearly as much attention has been given by insurers or the media to the serious risk of large-scale physical property damage and business interruption losses stemming from a cyber-breach. This relatively sparse amount of attention persists even though the U.S. Department of Homeland Security has warned that, “[a]s a nation, we face constant cyber-threats against our critical infrastructure and economy.”
How could a cyber-incident cause property damage or significant interruption of business activity? Consider that a hacker who gains access to a company’s computer systems and penetrates its operational or plant controls could cause breakdowns in company processes, or even outright destruction of certain physical facilities. A hacker could also reroute shipments, interrupt supply chains and wreak other types of havoc with products, property and procedures.
In a recent survey, 54 percent of business respondents reported that in the last year their organization had experienced an attack in which the attacker attempted to manipulate the organization’s equipment through a control system. The risks to particular segments of the marketplace, such as homebuilders and some of the contractors with whom they work, are readily apparent.
As these risks mount, insurance coverage will need to keep pace. Even when “insurance for property damage caused by a cyberattack” becomes more widely available, it is almost a certainty that insurers and policyholders will have substantially different views of what should and should not be covered when a cyberattack causes physical damage and business interruption. Insurers have already begun to develop and publish a number of exclusions aimed at property and business interruption losses stemming from cyberattacks, such as the Institute Cyber Attack Exclusion Clause CL380 (a domestic form) and Electronic Data Exclusion NMA2914 (a London Market form). However, these forms are not universally added to form property policies and some larger companies have custom-designed policies that do not include those forms.
Policyholders must not simply assume that their cyber-risk policies are the only coverage available to them. By the same token, they also should not assume that their property policies will cover damage resulting from a cyber-breach. Policyholders should work closely with counsel and with their brokers in advance of policy renewals to assess their levels of coverage, and to strategize about the terms and provisions that they need to negotiate into (or out of) their policies.