Traditionally, a cyber breach occurs and otherwise private information is stolen or made public resulting in costs such as notification expenses, IT forensics, data recovery, public relations/crisis management, legal defense, business interruption, brand/reputation damage and regulatory fines and penalties; just to name a few. However, the breadth of cyber-attacks has proven to be ever expanding. Now, breaches resulting in physical property damage are being reported more regularly which leads to the immediate question, “am I covered for such an event?”
For example, a German steel mill had massive damage to its blast furnace after attackers used malicious emails to steal login credentials that allowed them to control the mill’s systems. An unscheduled shutdown of the furnace caused the significant damage. In a more recent event, the Iranian government pointed to cyber-attacks as the cause of a series of fires at Iranian petrochemical plants and facilities. Damage to Bou Ali Sina Petrochemical Complex in Iran's southwestern province of Khuzestan was estimated at some $67 million.
These are extreme cases, of course, but imagine a virus that forces computer cooling fans to slow or stop, causing machines to overheat and catch fire. If not responded to quickly that fire could, potentially, spread throughout an office location or building.
Ordinarily, Cyber insurance policies do not cover property damage (or bodily injury) so insureds will have to rely on more traditional lines for coverage, such as their Property policy or Commercial General Liability policy. Even if Cyber Liability policies did not exclude property damage the capacity is often very limited - especially when compared to more traditional lines of coverage. So while data breaches that result in property damage are less frequent, their results can be devastating and likely in excess of the limits of your cyber policy.
This isn’t to say that property damage resulting from a data breach will definitely be covered by your property policy. You’ll want to confirm that the coverage is “all risk” coverage, which covers any peril not specifically excluded. Also, look for property insurers to begin excluding property damage or business interruption claims related to computer or cyber related incidents in the future.
Click here to request more information about The ALS Group or if you have questions regarding cyber risk mitigation strategies.