As the control and operation of physical assets becomes increasingly managed by computers that are themselves interconnected, a new threat of bodily injury and property damage through computer attack is causing growing concern for risk managers.

Traditionally, cyber-attacks have been aimed at the theft or compromise of data and information, the disruption of computer systems, and financial gain through ransomware. This has been true whether the attacker has been a rogue employee, a hacker or a nation-state. Similarly, the resulting loss and harm has been financial in nature – payment of ransom; consequential lost income; the cost of breach response and notification; liability to clients plus defense costs; regulatory fines and penalties; etc.

Cyber insurance has grown up against this threat background, with coverage developing to address each of these direct financial costs and consequences of an attack on computer security. This cyber coverage has been, and continues to be, a satisfactory solution for these traditional costs of a cyber-attack. In the meantime, cyber policies generally exclude property damage and bodily injury, often on the argument that other insurance policies should provide specific coverage.

Operational and control risks

However, as we become more interconnected, operational technologies (which previously were isolated systems) are increasingly connected to and part of broader information networks and technologies. As a result, attackers who gain access to those systems can take control of the physical assets, with the potential to cause property damage and bodily injury.

For example, consider the onset of Positive Train Control (PTC) in the rail industry. PTC is a system of functional requirements for monitoring and controlling train movements – the goal is to improve the safety of train traffic by only permitting movement if there is a positive permission, and in the absence of that positive permission the movement is halted. This system has been designed to prevent rail collisions but a cyber-attack could cause the system to fail resulting in property damage to the train and surrounding infrastructure, with bodily injury to passengers and others nearby.

This use and reliance on operational technologies exists in many other areas of our economy too – including manufacturing, utilizes (power, water, etc.) heavy industry and critical infrastructure. Supervisory Control and Data Acquisition (SCADA) systems and other Industrial Control Systems (ICS) are used to monitor and control key processes related to electrical power grids, water distribution, wastewater collection systems, oil and LNG pipelines, railway transportation systems, manufacturing plants, and refineries.

Attacks are made on SCADA and ICS not just through brute force and insiders, but also though advanced persistent threats, spear phishing, SQL injection, distributed denial of service, and social engineering attacks.

In each case, unauthorized access to those systems opens up the threat and possibility of outside interference in and control of those systems, resulting in not only data breach but actual physical damage and bodily injury as those systems are directed (or simply allowed) to run contrary to their intended (and safe) design and operation.

In practical terms, the attackers gain access to the organizations control systems and, unfortunately, there is now a public trail of such events, including:

In each case, a key cyber exposure was property damage and/or bodily injury through unauthorized access to control systems.

Even more concerning, new ransomware variants are cropping up that specifically target industrial control systems and critical infrastructure. Ekans, a newly discovered ransomware variant, has been reported to target ICS processes with disruptive code to halt processes.6

Insurance Response

While some might believe their traditional liability and property insurances already cover them for cyber risk that results in bodily injury and property damage, this is not necessarily the case. Nor is it the case that cyber insurers have been interested in covering that bodily injury and property damage exposure.

Indeed, the standard cyber policy contains specific exclusions for claims and losses arising from these perils, as those insurers focus instead on addressing financial liability arising from breaches of security and privacy.

More widely, the following exclusions have typically come into play:

Where such exclusions are applied across various insurances covering property damage and bodily injury, the emerging risk of malicious takeover of control systems needs to be addressed through either endorsement to traditional policies or in tailored (or standalone) cyber policies.

The absence of cyber exclusions in traditional liability and property insurances causes its own problems. When the policy fails to express its intent (through affirmative cyber coverage or a clear exclusion) then disputes inevitably follow as insureds claim coverage but insurers say that that was not their intent. This further leads, on the one hand, to disappointed insureds, and on the other hand to insurers that have failed to underwrite (and get rate for) the silent cyber risk they end up providing.

Some insurers are taking steps to address this silent coverage. For example, prompted by the Prudential Regulation Authority⁶ (the UK’s largest financial services regulatory authority), Lloyd’s of London has issued a mandate⁷ that it is best for all concerned that coverage be clear, and that such clarity should be achieved through either affirmative coverage or exclusion, starting with all first party property policies issued after Jan. 1, 2020, and followed later by liability policies and reinsurance treaties. Similarly, Allianz Global Corporate & Specialty has announced⁸ that they will provide affirmative cyber coverage across traditional P&C insurance products, and AIG will do the same⁹.

Risk managers in energy, oil & gas, critical infrastructure, utilities, mining, manufacturing, transport and other industries that rely on control systems, can look to their broker for advice on:

  • Affirmative cyber coverage for property damage, bodily injury (as well as legal liability and business interruption loss)
  • Primary (non-contributing) cyber insurance that responds before other insurers have declined the claim
  • Silent coverage analysis and remedies

In summary, as organizations increasingly rely on connected operational technologies to efficiently manage their processes, the risk of cyber-attack resulting in property damage and bodily injury increases. Traditional insurances and program structures do not adequately (or at all) address this exposure. In response, risk managers and their brokers can secure new solutions from insurers that actively understand the risks and want to cover these exposures.

  1. Massachusetts Institute of Technology - Cybersafety Analysis of the Maroochy Shire Sewage Spill
  2. The Register - Polish teen derails tram after hacking train network
  3. Medium - Stuxnet, or how to destroy a centrifuge with a small piece of code
  4. BBC News - Hack attack causes 'massive damage' at steel works
  5. Consumer Watchdog .“Kill Switch – Why Connected Cars Can Be Killing Machines And How To Turn Them Off”
  6. Ars Technica – "Crude But Concerning - New ransomware doesn’t just encrypt data. It also meddles with critical infrastructure”
  7. “Cyber underwriting risk: follow-up survey results”
  8. Mound Cotton Wollan & Greengrass LLP “Lloyd’s Takes A Stand Against “Silent” Cyber Coverage: How May That Affect The Market Moving Forward?”
  9. Business Insurance America – “AGCS global cyber head explains stance on silent cyber”
  10. “AIG and Affirmative Cyber”