EMERGING CYBER RISK
CYBER ATTACKS AND
PROPERTY DAMAGE:
WILL INSURANCE RESPOND?
ABOUT JLT SPECIALTY
JLT Specialty Insurance Services is the U.S. platform of JLT Group, the leading
specialty business adivsory firm. Our client proposition is built upon our specialist
knowledge, client advocacy, tailored advice, and service excellence. Our culture
reinforces the value of our people with teamwork and collaboration. Together, we
place our clients first, champion independent thinking, and expect to be judged
on the results we deliver.
ABOUT C/EO
A key component of JLT Specialty’s recent expansion of its U.S. operations has
been the formation of the Cyber and Errors & Omissions Practice (C/EO), a team
of motivated and skilled people who bring a wealth of experience in complex
cyber and E&O placements, and a proven record of success in working with
clients of all sizes. We are committed to growing a specialty business in the U.S.
market and are aligned with JLT Groups’ client-first culture and entrepreneurial
drive.
We pride ourselves on a pragmatic approach that leverages the Cyber and E&O
practitioners’ deep industry and product knowledge. This starts with an interactive
exposure identification and priority discussion. We then transform this discussion
into a risk transfer solution strategy, including proposed coverages, insurer
partners, and execution timeline.
Emerging Cyber Risk: Cyber Attacks & Property Damage – Will Insurance Respond?
FROM THE ELECTRICAL GRID TO FINANCIAL
NETWORKS TO THE WATER SUPPLY
CYBER ATTACKS AND PROPERTY DAMAGE – WILL INSURANCE
RESPOND?
M
any in the cyber security world are referring to 2014 as yet another “Year
of the Breach” with high profile events occurring at Target, Staples, Home
Depot, Sony, and Anthem, among others.
These incidents all demonstrated the ongoing
ability of hackers to infiltrate security systems
(no matter how strong) and highlighted the
massive costs and disruptions that result
from a cyber security incident in which data is
stolen. While cyber attacks continue to be a
significant exposure for retailers, healthcare
companies, and financial institutions (all of
whom have large amounts of personally
identifiable information), these companies do
have the ability to transfer this risk via cyber
insurance policies.
Though much of the media focus has been on
breaches of private records and information,
other industries – like manufacturing, energy,
and utilities – are also at risk from cyber
attacks. These industries have long been
networked through industrial control systems
(“ICS”), like SCADA, that monitor and control
industrial processes. These open systems
now tie together once decentralized facilities;
the system were primarily designed for ease
of operation and repair – security of these
systems was a secondary consideration
at best. The loss of data and associated
economic damages are of minor concern to
these industries; their far larger concern is
a cyber attack on their ICS that leads to first
party damage to physical property.
We now know of two major cyber attacks
on physical systems that have resulted in
destruction or damage to equipment or
property (there are unconfirmed reports of
more). The 2010 Stuxnet attack on Iranian
control systems allegedly carried out by the
U.S. and/or Israeli governments is known
to have sabotaged centrifuges at a uranium
enrichment facility.
More recently – and perhaps more
troubling because of the unknown identity
of the perpetrator – is the late 2014
attack on a German steel mill. German
authorities reported that hackers attacked
a ThyssenKrupp plant and disrupted its
control systems in a manner that prevented
a blast furnace from being shut down. The
report does not specify the physical damage,
but calls it “massive.” Similar ICS manage
critical operations affecting key infrastructure
The far larger concern of these industries is a cyber attack on their industrial control
systems (ICS) that leads to first party damage to physical property.
3
4
Emerging Cyber Risk: Cyber Attacks & Property Damage – Will Insurance Respond?
German authorities reported that hackers attacked the plant and disrupted its control
systems in a manner that prevented a blast furnace from being shut down. The report
does not specify the physical damage, but calls it “massive.”
throughout the world – from the electrical grid
to financial networks to the water supply – and
the harm caused by a cyber attack on systems
in these industries could be catastrophic.
so that both the insured’s costs and the third
party damages were covered. As mentioned
above, these policies are performing very well
through established claim payments.
From an insurance perspective, the news is
not as encouraging when compared to data
breaches. The insurance industry does understand that better solutions are needed; insurers in both the property and cyber markets are
beginning, albeit slowly, to address the issue.
But, like most E&O policies, property damage
and bodily injury claims are excluded, and
claims for damage to the insureds’ hardware
or any other tangible property of the insured
or others are not covered. Coverage for first
party business interruption losses due to a
security failure has also improved, but long
waiting periods remain common.
The genesis of most cyber policies was third
party loss scenarios for events like passing
along a computer virus or harm caused by any
sort of network breach. The goal was to cover
a company for the liability it incurred due to
a cyber event rather than its own losses.
First party coverage was also available for
loss of intangible property (data or software,
but never hardware) and for loss of income or
extra expense due to a cyber attack that shut
down a network. But the waiting periods were
long, triggers and loss calculations difficult,
and coverage was often sublimited.
Over time, sublimits eased but scenarios
where networks were down long enough for
insureds to show losses remained rare. As
data breaches became the driving issue
for cyber placements, first party coverages
for breach response and reimbursement of
regulatory fines and penalties were added
The cyber marketplace is slowly beginning
to address first party physical property damage caused by cyber events, but coverage is
limited and untested. AIG, through their CyberEdge PC product, has attempted to address
the issue here in the U.S. This policy offers
coverage on an excess and difference-in-conditions basis. It addresses coverage gaps in
other policies (e.g., property, casualty, energy,
aerospace, environmental, terrorism, etc.),
where cyber-related exposures may be excluded or where coverage is limited. To the extent the underlying policy fails to respond to a
property damage claim resulting from a cyber
event, the CyberEdge policy would drop down
to respond. To date, few policies have been
written, but the product merits consideration.
In London, a handful of carriers (including
From the electrical grid to financial networks to the water supply, the harm caused by a
cyber attack on systems in these industries could be catastrophic.
Emerging Cyber Risk: Cyber Attacks & Property Damage – Will Insurance Respond?
5
The cyber marketplace is slowly beginning to address first party physical property
damage caused by cyber events, but coverage is limited and untested.
Aegis and Brit) offer various coverages to
address this risk, but the underwriting has
been focused in the property space; premium
and program structure (significant retentions)
have been inhibitors to buying coverage. Brit, in particular, has created a stand-alone
product that affirmatively offers coverage for
the first party property damage and, through
a consortium, can offer up to $350M in
coverage. Acceptance and adoption will take
time, and to date standalone options have yet
to gain traction, but such offerings indicate that
an evolution in coverage has begun.
The other avenue for coverage is traditional
property policies. However, some carriers
offer named peril policies (more common
for smaller companies) that are designed
to respond to “covered causes of loss” and
perils, (e.g., fire, lightning, explosions, flood).
Cyber events have not been included in these
lists and they are unlikely to be added.
Larger companies usually purchase “all risk”
policies that eliminate this issue. But on
these policies, the trends are mixed. For
many industries, a number of leading property
carriers fully intend to cover property damage
that results from a cyber attack.
For example, should a hacker attack an
industrial system, prevent a machine from
shutting down, and cause it to overheat and
start a fire, these polices would respond to the
property damage caused by said fire. Though
their language is often less than definitive,
these carriers confirm that their policies cover
loss from a fire regardless of the cause.
However, other markets, with similarly vague
language, state that they are not covering
this risk. Whether due to limited cyber
underwriting expertise, fear of aggregation
issues, reinsurance concerns, or all of the
above, they are unwilling to provide coverage
for property damages as envisioned in the
fire example above. These carriers limit
damages to “electronic data or software” and
not tangible property, and are increasingly
specifically barring coverage by exclusion or
carveback, with this practice more prevalent in
certain industries.
Energy companies, in particular, face unique
challenges in this marketplace. For example,
the Institute Cyber Attack Exclusion Clause
CL380 is a well-established endorsement
barring coverage for cyber events and is
especially common in the energy industry.
Recently, some markets in London have been
willing to carve back or agree to a limited buy
back on this exclusion, but acceptance remains uneven and sporadic. Certain Bermuda
insurers are also beginning to offer property
damage coverage arising out of cyber events,
but overall capacity and interest is limited.
For terrorism coverage to be triggered, the US government must certify the act as
“terrorism.” With no historical experience to rely upon, it is unclear how this will work in
practice.
6
Emerging Cyber Risk: Cyber Attacks & Property Damage – Will Insurance Respond?
Finally, depending upon the nature of the
attack, terrorism coverage could provide cover
for property damage, even if the underlying
property policy did not contemplate cyber triggers. For terrorism coverage to be triggered,
the U.S. government must certify the act as
“terrorism.” With no historical experience to
rely upon, it is unclear how this will work in
practice. The recent Sony attack has been
blamed by some on terrorism, but there are
mixed views as to who was really involved. As
evidenced by the Sony event, disagreements
are to be expected and, especially for cyber
events, the government may be reluctant or
unable to certify a terrorist act, making legal
disputes likely.
Steve Bridges
Senior Vice President
Cyber and E&O Practice
312.235.8223
Steve.Bridges@jltus.com
Enterprise-wide cyber activity and cyber losses are increasingly broader than the loss of
data, and companies in all industries should
review their exposures and consider insurance
solutions to mitigate or transfer their particular risks. Our view is that, ultimately, this risk
belongs in property policies but much work
remains to be done as carrier views on these
risks and coverages remain in flux. On privacy risks, the maturing cyber insurance marketplace has seen significant improvements
in coverage over the past few years. With
the omnipresent cyber threat expanding, we
expect insurance coverage in the cyber arena
to continue to evolve to solve our clients’ concerns around property loss as well. §
JLT Specialty Insurance Services Inc.
300 S. Wacker Dr., 24th Floor
Chicago, IL 60606
312.235.8223
www.jlt.com
JLT Specialty’s Cyber and E&O Practice (C/EO) is a talented team of people who bring
a wealth of experience in complex cyber and E&O placements and a proven record of
success working with clients of all sizes. At the forefront of developments and trends
related to risk, coverage, and claims, we utilize our knowledge and experience to design
innovative and market-leading coverage and positive claim results for our clients.