If a cyber incident causes physical damage or business interruption, which insurers will speak up?

The risk of a cyber incident causing physical damage or business interruption is growing all the time.

Worst-case scenarios might include a cyber attack on aviation infrastructure, railways, chemicals plants and munitions factories, according to research by Cambridge University's Centre for Risk Studies (opens a new window).

Some property insurers may start rowing back on some of the cyber coverage they provide.

We saw some of the risks during the NotPetya ransomware attack (opens a new window) in June 2017. The American pharmaceutical company Merck reported severe disruptions to its manufacturing capabilities (opens a new window), limiting its ability to produce vaccines and medications. Total losses to Merck have been estimated at hundreds of millions of dollars. Meanwhile, Danish shipping giant A.P Moller-Maersk reported system failures, with business volumes negatively affected for some weeks. Their Q3 results were expected to be hit by around $200-300 million (opens a new window).

Such losses have naturally increased discussion around the role of insurance. Which losses are insurable, and by which insurance policy? A property insurance policy, or a specialist standalone cyber policy?

Standalone coverage

Companies in the manufacturing, energy, retail and hospitality sectors are likely to have been offered or currently purchase cyber coverage from the property insurance marketplace.

Many insurers are expecting to report silent cyber losses in the next 12 months.

However, some property insurers – whose profit margins have been placed under particular pressure following recent market losses – may start rowing back on some of the cyber coverage they provide through existing policies.

As a result, certain companies and industries with a large physical footprint – particularly critical infrastructure companies – could find themselves under-insured against certain cyber risks.

It is unclear whether property underwriters will simply remove affirmative grants for cyber coverage (leaving policy ‘silence’ on whether cyber losses are covered) or altogether exclude cyber coverage.

Many insurers are expecting to report silent cyber losses in the next 12 months. The risk of silent cyber is highest in the IT/utilities/telecom industry, but many insurers have found that the risk of silent cyber has increased across all industries.

Reflecting this trend, the International Underwriting Association (opens a new window) (IUA) has drafted a broad clause to address silent cyber risk. The clause can be inserted into almost any P&C insurance policy to totally exclude cyber exposures. (It includes a provision that would allow the contractual parties to agree to include cyber-related exposures on a case-by-case basis.)

These developments may spur an even greater need for, and further creation of, standalone specialist insurance policies covering first-party physical and non-damage BI losses from unauthorised cyber access.
 
Lockton has recently launched a policy form that extends cyber to cover property damage and bodily injury on a wrap basis. This means that the policy will provide coverage for property damage arising out of a cyber event where the policyholder’s property policy excludes the coverage.
 
Companies that currently purchase a small amount of cyber coverage through their property insurance should liaise with their broker to establish whether their cyber exposures are best provided through a standalone cyber policy, or as part of another insurance policy.

For more information, please contact Max Perkins on:

Tel: +1 404 460 0793 | Email: MPerkins@lockton.com (opens a new window)