Cyber-Physical Risks: Addressing Coverage Gaps in Traditional Insurance

Authors: Joe Stubbings Will Slater

Many traditional insurance policies might not adequately cover these risks, leaving organisations potentially exposed to costly financial and operational setbacks. Understanding coverage gaps and implementing proactive risk management strategies is crucial to safeguarding your assets against the evolving cyberthreat landscape.

The hidden risks in traditional insurance

Traditional cyber insurance primarily focuses on digital threats, such as data breaches and ransomware attacks, but typically excludes physical damage from cyber incidents. This leaves organisations vulnerable to financial and operational losses, particularly for sectors relying on Operational Technology (OT) environments.

A cyber attack targeting OT systems can have real-world consequences, such as equipment failures, production halts and infrastructure damage. From a health and safety perspective, physical damage attacks also have the potential to cause bodily injury.

In tune with these emerging threats, Property and Casualty (P&C) insurers have begun more explicitly defining cyber-related coverage within their policies. However, instead of expanding protection, many insurers are adopting broad, exclusionary language that significantly limits coverage for physical perils such as fire, explosion and flooding caused by cyber incidents.

As a result, organisations may unwittingly operate with critical coverage gaps, leaving them exposed to substantial financial losses in the event of a cyber-physical incident.

Cyber attacks with physical consequences

The convergence of cyber risk and physical damage is becoming increasingly evident, particularly in industries that rely on OT, including but not limited to Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems. Sectors such as manufacturing, energy, transportation and hospitality are particularly vulnerable, as their operations necessitate complex digital systems that, if compromised, can lead to severe disruptions, financial losses and even personal injury.

• Hospitality sector example: A cyber-attack on a building management system could activate sprinklers, leading to significant water damage, business disruption and financial losses.
• Manufacturing sector example: Hackers targeting ICS networks could override safety protocols, leading to machinery overheating, fires and production halts — endangering workers while resulting in property damage and business interruption.
• Energy sector example: A cyber-attack on an offshore oil rig’s control system could manipulate operational parameters, such as altering pressure levels or shutting down safety systems. This could result in physical damage, environmental harm, financial losses and potential injury to personnel.

Cyber exclusions in P&C insurance

The rise in high-profile cyber incidents, such as the WannaCry and NotPetya attacks, has reshaped the way insurers assess and manage their exposure to cyber-related losses. These large-scale events demonstrated the potentially systemic consequences of cyberthreats. The widespread disruptions and spillover from such attacks have now prompted P&C insurers to implement a more cautious and restrictive approach towards covering cyber risks.

• Absolute cyber exclusions: Some P&C carriers explicitly exclude any losses linked to a cyber event, regardless of the nature or impact of the attack.
• Nuanced exclusions: Other insurers provide limited carve-backs for named perils, such as fire or explosion, when directly triggered by a cyber event. However, these carve-backs often come with strict conditions, such as requiring robust cybersecurity measures or proof of compliance with industry standards.

Businesses operating in OT-reliant sectors face significant challenges due to these exclusions. Unlike traditional information technology (IT) focused cyber risks, OT cyber threats may cause direct physical harm, including equipment destruction, system failures and safety hazards, which may lead to bodily injury. The lack of clear coverage in P&C policies means organisations may face substantial uninsured losses.

Risk mitigation strategies: Strengthening cyber and physical resilience

While insurance is a critical component of risk management, businesses must also take proactive steps to mitigate their exposure to cyberthreats, particularly those that could lead to significant physical damage or operational downtime. Key strategies include:

1. Segregation of IT and OT environments: Implement air-gapping, firewalls and strict access controls to reduce interconnectivity and minimise risks
2. Enhanced cyber hygiene and threat detection: Invest in Endpoint Detection and Response (EDR) tools, Security Operations Centres (SOCs), regular patching and updates, and Multi-Factor Authentication (MFA)
3. Incident response planning and crisis management: Develop ransomware preparedness protocols, conduct tabletop exercises and simulations, and establish cross-functional response teams

Gallagher’s solution

Businesses must carefully review their insurance policies to understand potential coverage gaps as cyberthreats continue to grow in complexity. In some cases, companies may need to explore specialised insurance solutions to ensure adequate protection against cyber-induced physical losses.

Gallagher offers customised and enhanced cyber insurance solutions designed to protect organisations against these evolving threats. With the expertise Gallagher brings, businesses can effectively manage and transfer risks related to cyber-induced physical damage, business revenue loss and even bodily injury caused by cyber incidents.