Property risks and cyber events – is there cover?
Currently in the insurance market, there is little by way of express cover for property damage arising out of a cyber event. Where there is cyber cover, it is usually only for personal or financial losses, rather than property losses including business interruption.
This emerging issue is giving rise to a debate within the insurance industry as to whether a cyber event, or the consequences of a cyber event, could be a “peril” within existing covers. There is a perception that if such an event occurs in the absence of any kind of cyber cover, an insured may look to its general liability policy. There is, however, little claims history on this issue.
At the same time, the cyber insurance landscape is changing significantly, and rapidly, with increased regulation, cyber events, and AI changes to consider. More and more, governments and insurance industry leaders are focusing on:
- The “affirmative cyber risk”, i.e. the risk which is positively included in cyber covers, whether in stand-alone policies, or by positively endorsing for cyber cover, e.g., general liability policies which include cover for cyber-related privacy breaches, for example; and
- Increasing insurers’ awareness of “non-affirmative cyber risk”, or silent cyber risk, i.e. where policies may cover the event or the loss, whether through gaps in express cyber exclusions or a total absence of express cyber exclusions.
Cyber cover – what is it?
There is no one standard policy offering cyber cover, and the product is known to vary widely. Coverage for physical damage, injury, or environmental events is, however, the least commonly offered. This reflects the fact that present threats to operational technology are, arguably, less well recognised than information technology threats, or perhaps are not seen as being dealt with as urgently as personal data or cyber security concerns. In addition, accumulation of risk is a real issue.
Although cyber policies may indemnify an insured for third party losses arising from physical loss, destruction of data or damage to data that arises from a privacy event, such policies usually expressly exclude cover for loss from any bodily injury or property damage to tangible property.
Physical damage from cyber threats
If there was a cyber event causing property damage, would it be covered under a property policy?
Property damage cover is a material risk policy, covering first party loss, triggered by damage to physical property, and business interruption. By their nature, property damage policies are not designed for cyber, or cyber-attack events, because:
- such policies effectively pre-date the widespread use of the internet, and incidences of cyber hacking, ransomware, terrorism and the like;
- damage to software and data is not usually covered by a property policy, being an intangible asset;
- a property policy may exclude any physical loss, destruction or damage happening because of third party access to an insured’s computer system; and
- there is often an exclusion for monetary or data loss from attempted or actual extortion or kidnapping.
Furthermore, if for example the damage was a result of a malicious hack, then there is even less of a prospect of cover, as most such policies routinely incorporate exclusions for extortion, hacking, terrorism, computer crime, or external threats of that kind.
Does the insurance industry have an answer?
There is a growing market for addressing the risks of damage to property in the context of cyber events, particularly where there is increased focus on the potential accumulation issues from silent cyber risks.
The insurance industry’s response to these coverage issues is rapidly emerging. As the uptake in cyber products is increasing, and insurers are actively addressing silent cyber risk, there is a commensurate increase in innovation in the product range being offered, to include cover for certain instances of physical damage caused by a cyber event.
For example, insurers are providing cover for consequential loss arising from a cyber event, where there is no question of hacking or criminal/dishonest behaviour, or cover for differences in conditions between an insured’s cyber and property liability policies. Also, very recently the UK government’s terrorism reinsurance pool announced that from April 2018, its terrorism cover will no longer have an exclusion for cyber-related property damage.
Plainly, with so many cyber or technological unknowns, with a significant accumulation risk, there is growing focus on risk analysis above and beyond the usual underwriting process, with commensurate level of data and security due diligence. At present, although there is an increase in insurance offerings for this type of risk, it seems that bridging the gap between property damage cover and emerging cyber risks remains a work in progress, with the industry constantly reviewing and innovating.
This article was written by Ailbhe Kirrane, Partner.
Important Disclaimer: The material contained in this publication is of a general nature only and is based on the law as of the date of publication. It is not, nor is intended to be legal advice. If you wish to take any action based on the content of this publication we recommend that you seek professional advice.