Exploring Cyber Insurance and its Intersection with Property Coverage

There is no doubt that technology, the internet, and the exponential connectivity of all the things we use in our daily lives have created unprecedented efficiency, precision, and oversight for nearly every industry.

Technological advancements and increased connectivity also come with increased cyber risks, which are expanding at breakneck velocity. For companies convinced they're fully covered by their cyber insurance policy in the event of a cyberattack, they may be in for a rude awakening. A traditional cyber policy will not cover physical damage to property or equipment caused by a cyberattack—meaning if an attack halts your manufacturing facility and it results in damaged equipment and spoiled products, your cyber policy likely won't cover it.

In this blog, we'll examine the intersection between cyber insurance and property insurance and provide a solution for the coverage gap.

Cyber Insurance versus Property Insurance

While the evolution of cyber insurance is ongoing, it is important to note that traditional cyber insurance policies do not intend to cover losses for physical damage or bodily injury—with a few limited exceptions. Specifically, cyber policies generally cover loss, theft, or damage to electronic data and violations of privacy laws with a suite of first-party coverage to help the insured get systems back online, deal with the threat actors, and provide identity theft notification, prevention, and remediation service as required by law. There may be limited coverage expansions for bricked computer equipment, but that’s about it for physical damage.

Here’s a schematic of what a market standard cyber policy will cover:

Why Won't My Property or General Liability Policy Cover Cyber Loss?

Why don’t most property and general liability policies cover these loss vectors? The answer requires a bit of context on recent cyber events and changes. The NotPetya and WannaCry ransomware attacks resulted in numerous lawsuits against property insurers that did not believe their policies covered physical damage arising out of a cyberattack, and underwriters realized that they had overlooked a massive blind spot. As a result, the concept of “silent cyber remediation” was born.

Over the last five or more years, most (if not all) major insurers have undergone extensive internal audits on their non-cyber portfolios such as property, marine, stock throughput, product liability, and casualty policies to identify and exclude any unintentional or unexpected loss arising from a cyber event. They needed to do this because there was no way to underwrite and quantify the risk, there was no actuarial data to price the risk, and the premiums collected were not nearly sufficient to cover the losses that could occur because of a cyberattack.

As a result of these initiatives, insurers imposed countless new and disparate cyber exclusions on property, casualty, marine, and other policies vis a vis Lloyd’s LMA wordings excluding cyber physical damage. Simultaneously, various global (re)insurers began excluding coverage within their reinsurance treaties for cyber physical damage losses. The resulting situation meant that quite literally every single insurer had their own specific way of reducing exposures to cyber physical damage risk on every single non-cyber policy they offered. It became a rat's nest of coverage disparities and exclusions.

How Companies Can Resolve the Coverage Gap

These exclusions put risk managers and their companies in an exceptionally perilous position. There may be incorrect expectations about how your company’s insurance portfolio will respond to a catastrophic cyber event resulting in property damage—and what’s worse is that the balance sheet protection that insurance brings would evaporate at the point where a company needs it most. As companies streamline their supply chains, increasingly manage their stock and inventory remotely, and rely on automated manufacturing facilities and assembly lines, it’s obvious that a ransomware attack can incapacitate an entire company—spoiling inventory, damaging and wasting raw materials or operational technology, and potentially causing fires and explosions in facilities. Cyberattacks that result in production interruption and physical damage can result in massive recall exposures, breaches of contracts with clients, and horrific repair and replacement expenses for all types of machinery and equipment.

Look no further than Clorox’s August 14th Securities and Exchange Commission (SEC) filing. We now know the cyberattack resulted in damage to portions of the company's infrastructure, caused widespread disruptions to operations, and resulted in product shortages. As of September 18, 2023 (over one month later), Clorox is still transitioning to normal operations.

While this all appears to be doom and gloom, there is a solution. As a result of the silent cyber exclusions now ubiquitous in the insurance marketplace, a highly competent and bespoke market was born that affirmatively covers excluded physical damage and bodily injury perils with policies that dovetail with your company’s property, casualty, and cyber insurance programs. Various leading insurance houses in London, Europe, and North America have carved out skilled underwriting teams to analyze and price cyber physical damage risk. What’s even easier is if you’re already buying cyber and property insurance, you’re 95% of the way there in terms of preparing an underwriting submission. The other 5% is where a good broker can step in to support.

A Three-Step Process to Addressing Cyber Physical Damage Risk

Woodruff Sawyer has built a proprietary process to address cyber physical damage risk with our in-house cyber expertise and industry-leading underwriting partnerships. Here are three steps we take:

1. Alongside your stakeholders, we lead a risk identification exercise. Leveraging the NIST CSF framework, we support you in identifying digital assets such as critical databases, applications, and systems but also identify locations and values exposed to physical cyber risk like industrial control systems, operational technology, smart buildings, etc. Understanding the universe of systems and devices that need to be insured is a fundamental necessity for crafting a cyber physical damage insurance program.
2. We then engage in an insurance portfolio stress test and gap analysis on all your policies. While non-cyber policies offer little or no cyber-related coverage, there are often specific sublimits, ambiguous terms and conditions, and contract-specific “other insurance” provisions that need to be considered when building a parallel cyber physical damage insurance policy. This exercise also creates efficiencies in premium spend by making sure we’re only buying the necessary coverages to fill the gaps.
3. When we’ve painted a complete picture of the universe of risk to be insured and understand where there are gaps in coverage, we take your specific program needs to the global insurance markets including Lloyd’s of London, major North American insurers, and European re(insurers). The highly customized nature of cyber physical damage insurance means that solutions are crafted with laser-focused intent of cover that can sit alongside property policies as a sidecar to offer missing coverage, embed within your property program or syndications to affirmatively fill gaps where certain participants impose harsher cyber physical damage exclusions, or simply step in as the primary insurer for cyber physical damage perils.

Work with a Team of Experts Who Understand the Market

The intersection of cyber risk and physical damage isn’t going away. It’s only getting larger and more critical in nature. All companies need to consider the financial exposures they face when their property insurers exclude loss from cyberattacks. Work with an industry-leading cyber team deeply entrenched in the cyber insurance ecosystem that is uniquely positioned to effectively address cyber physical damage risk to ensure (and insure) your enterprise is protected when the cyberattack comes.