Cyber attacks are becoming increasingly complex, lengthening recovery times and taking a greater toll on business operations. Numerous attacks have zeroed out servers; corrupted, encrypted or exfiltrated data; or caused sustained denial of service to systems. Many of these consequences may occur in a single attack, and coverage under a cyber policy may not be the only avenue to recover losses.
Cyber insurance is a growing market, but it’s not the only place to look for coverage from a cyber attack. Robert Parisi, managing director for Marsh’s FinPro practice, says, “As losses get larger, people are examining their coverage and often taking a shotgun approach to claims and notifying everyone they can if they don’t have express cyber coverage.” Parisi says, “The best approach is not to view a cyber event in isolation but to look at all policies—property, E&O, general liability, terrorism, kidnap and ransom, and fidelity—and see where aspects of a cyber event may be covered.”
Cyber Claim History
In the early days of cyber attacks, companies made claims under their property and commercial general liability policies. Coverage questions initially revolved around whether the loss of data could constitute a direct physical loss or damage under a property policy.
One of the first property policy disputes, Home Indemnity Co. v. Hyplains Beef, was based on a claim for business interruption losses arising from a disrupted computer system. In 1995, the federal district court dodged the question of whether the loss of data was a direct physical loss and focused on actual language of the business income section of the policy. The policy required a “suspension of operations.” The trial court denied the claim because, although the disruption made the computer system less efficient, the “suspension” of plant operations had not occurred. The Tenth Circuit affirmed.
However, a case in 2000, American Guarantee & Liability Insurance Company v. Ingram Micro, did find that the loss of data constituted physical damage under the company’s business interruption policy. The court noted, “Lawmakers around the country have determined that when a computer’s data is unavailable, there is damage; when a computer’s services are interrupted, there is damage; and when a computer’s software or network is altered, there is damage.”
The insurance industry scrambled to clarify the issue by specifically excluding electronic data from property coverage. Indeed, the current Insurance Services Office’s Building and Personal Property Coverage Form excludes “The cost to research, replace or restore the information on valuable papers and records, including those which exist on electronic or magnetic media, except as provided in the Coverage Extensions.” The current form’s coverage extensions provision limits recovery to $1,000 at each location.
Bucking the Trend
Some insurance companies, however, are turning away from the ISO language and pursuing the cyber insurance market by including cyber coverage in property policies. FM Global, Affiliated, Liberty, AIG and Zurich all include elements of cyber coverage in their company-issued property policy, while XL Catlin and Allianz have cyber extension endorsements available. FM Global’s website states that its Global Advantage policy covers:
- Damage to data, programs or software created by harmful viruses or other malware
- Computer network service interruption due to malicious cyber activity
- Third-party data services interruption (cloud outage) leading to business interruption and/or property damage
- Resulting property damage and business interruption on an all-risk basis.
This type of property coverage can be particularly important when malware infestations require expensive and time-consuming eradication measures, which may involve replacing equipment.
John Dempsey, founder of Terrabella Risk Consultants, says that as attacks increasingly impair system operations, rather than steal data, companies should pay close attention to how an attack impacts the company’s computer systems. “Multipronged attacks are driving multiple claims,” he says. Dempsey’s expertise in quantifying the impact of cyber attacks and supporting business interruption claims has enabled him to understand where other types of coverage may come into play after a cyber event. “If the nature of the IT hardware changes and a client can show loss of functionality, a credible argument can be made that the loss of use of the equipment supports a property claim that the equipment was damaged.”
The recent attack of NotPetya malware is a good example. The malware was a combination of powerful malware tools that deeply infiltrated systems to destroy data and take over file systems. NotPetya created massive business interruptions at large corporations such as Maersk, Federal Express, and Reckitt Benckiser. Maersk’s CEO has estimated the attack will hit the company’s third quarter financial results by $200 million-$300 million. Shipping company TNT, a subsidiary of FedEx, was still feeling the impact of NotPetya three weeks after the attack, with manual processes still in place and widespread delays in service and invoicing.
Mike Andler, property practice leader at Lockton, has been carefully monitoring the cyber coverage extensions in the property insurance market. “We will have to wait and see the result of recent first-party cyber claim activity and its ultimate effect on the marketplace, especially with respect to terms and conditions, price and available limits.” Referring to that shotgun approach he currently sees, Parisi cautions that insurance companies may begin specifically excluding cyber from those traditional policy products that aren’t necessarily intended to cover cyber events.
Accordingly, organizations have to carefully monitor their cyber coverage. The simple data breaches that required only notification to authorities and victims have given way to complex attacks that require a comprehensive approach to cyber risk management. Today, boards and executives must delve deeper when managing cyber risks and examine the interdependencies between business units and IT operations.
They need to determine:
- What types of cyber attacks are possible
- What the impact on operations would be
- What insurance coverage is needed
- What financial limits are required.
Understanding the potential impact of cyber attacks is a difficult exercise that requires technical, operational, legal and insurance expertise. Brokers and agents can assist by helping clients view cyber risks as enterprise risks and examining all their policies to identify possible coverage areas for cyber claims. They also can help identify experienced forensic, technical and legal resources that can assist clients in the event of an incident and, perhaps most importantly, help manage the post-event claims process.
Westby is CEO of Global Cyber Risk. firstname.lastname@example.org