Australian critical infrastructure is facing an unprecedented rise in cyberattacks, with sectors such as energy, water, healthcare and transportation sustaining a 50% increase in incidents in recent years.1
The Australian Signals Directorate (ASD) warns that cyberthreats are no longer confined to data breaches and digital disruptions — they now have the potential to cause physical damage. The ASD details a troubling trend in cyberattacks affecting key sectors, which could be exposed to physical damage including energy, healthcare, transport and communications,2 as well as industries such as food and beverages, manufacturing, mining and agriculture.
With organisations becoming increasingly reliant on automation and interconnected systems to enhance efficiency, the risk of cyber incidents resulting in physical damage is growing.
Australian businesses and service providers are now contending with both traditional cybercriminals and state-sponsored actors, who are employing ever more sophisticated tactics to target critical infrastructure and government networks.
Many traditional insurance policies may not adequately cover these risks, potentially leaving businesses exposed to costly financial and operational setbacks. Understanding coverage gaps and implementing proactive risk management strategies are essential to safeguarding physical assets against evolving cyberthreats.
The hidden risks in traditional insurance
Standard cyber insurance primarily focuses on digital threats, such as data breaches and ransomware attacks, but typically excludes physical damage from cyber incidents. This leaves organisations vulnerable to financial and operational losses, particularly for sectors relying on operational technology (OT) environments.
A cyberattack targeting OT systems can have severe consequences, such as equipment failures, suspended production and infrastructure damage. From a health and safety perspective, physical damage attacks also have the potential to cause personal injury.
In response to these emerging threats, property and casualty (P&C) insurers have begun defining cyber-related coverage in their policies more explicitly, with many adopting exclusions that significantly limit coverage for physical perils such as fire, explosion and flooding caused by cyber incidents.
As a result, businesses may unknowingly be operating with critical insurance coverage gaps, leaving them exposed to substantial financial losses in the event of a cyber incident leading to physical damage.
Examples of sector exposures
The convergence of cyber risk and physical damage is becoming increasingly evident, particularly in industries such as manufacturing, transport and hospitality, as well as healthcare, communications and energy. These sectors are particularly vulnerable because operations involve complex digital systems if compromised, can lead to severe disruptions, financial losses and even personal injury.
- Hospitality sector: A cyberattack on a building management system could activate sprinklers, causing water damage, business disruption and financial loss.
- Manufacturing sector: Hackers targeting industrial control system networks could override safety protocols, leading to machinery overheating, fires and suspended production — endangering workers while causing property damage and business interruption.
- Energy sector: A cyberattack on an offshore oil rig's control system could manipulate operational parameters, such as altering pressure levels or shutting down safety systems. This could result in physical damage, environmental harm, financial losses and injury to personnel.
Cyber exclusions in property and casualty insurance
Recently, Australian critical infrastructure networks have sustained both targeted and opportunistic malicious cyber activity. Threat actor activity against these networks is likely to increase as network dependency grows, compounded by increased network complexity.
The rise in high-profile, large-scale cyber incidents in Australia, such as the Optus breach and the attack on port operator DP World Australia, has demonstrated the systemic consequences of cyberthreats and reshaped the way insurers assess and manage their exposure to cyber-related losses.
The widespread disruptions and spillover from such attacks have now prompted property insurers to implement a more cautious and restrictive approach to covering cyber risks, including:
- Absolute cyber exclusions: Some P&C carriers explicitly exclude any losses linked to a cyber event, regardless of the nature or impact of the attack.
- Nuanced exclusions: Other insurers provide limited write-backs for named perils, such as fire or explosion, when directly triggered by a cyber event. However, these write-backs often come with strict conditions, such as requiring robust cybersecurity measures or proof of compliance with industry standards.
Businesses operating in OT-dependent sectors face significant challenges due to these exclusions. Unlike traditional information technology (IT)-focused cyber risks, OT cyberthreats may cause direct physical harm, including equipment destruction, system failures and safety hazards, which may also lead to bodily injury.
The lack of clear coverage in P&C policies means organisations may face substantial uninsured losses.
Risk mitigation strategies: Strengthening cyber and physical resilience
While insurance is a critical component of risk management, businesses should also take proactive steps to mitigate their exposure to cyberthreats, particularly those that could lead to significant physical damage or operational downtime.
Key strategies
- Segregation of IT and OT environments: Implement air-gapping, firewalls and strict access controls to reduce interconnectivity and minimise risks
- Enhanced cyber hygiene and threat detection: Invest in endpoint detection and response (EDR) tools, security operations centres (SOCs), regular patching and updates and multi-factor authentication (MFA)
- Incident response planning and crisis management: Develop ransomware preparedness protocols, conduct tabletop exercises and simulations and establish cross-functional response teams.
The Gallagher solution
The use of technology to optimise production and enhance operational efficiency is increasing. This presents an attractive target for cybercriminals who can impose significant financial loss and reputational damage whilst threatening to inflict physical damage.
Businesses must carefully review their insurance policies to understand potential coverage gaps as cyberthreats continue to grow in complexity and severity. In some cases, companies may need specialised insurance solutions to ensure adequate protection against cyber-induced physical losses.
Gallagher offers customised cyber insurance solutions designed to protect organisations against these evolving threats. With this expertise, businesses can effectively manage and transfer risks related to physical damage, business revenue loss and even personal injury caused by cyber incidents.