NEW YORK (Thomson Reuters Regulatory Intelligence) - Cyber insurance has been marketed mostly as a way to protect companies against liability for privacy and data security breaches. Financial firms and their clients, however, should also ensure that there are no gaps in liability coverage for other types of cyber-related risks.
These include cyberattacks that exploit vulnerabilities in industrial control and other web-based systems that support the operation of much of modern infrastructure. These systems can include supply chain logistics, energy grids and back-office financial operations.
Hackers can hijack these systems not only to steal data and interrupt commerce. They can also launch “cyber-physical” attacks aimed at crippling operations or causing bodily injury and property damage. For example, the Department of Homeland Security this month issued an alert that highlighted increasing Russian government cyber activity targeting energy and other critical infrastructure sectors.
"Since at least March 2016, Russian government cyber actors—hereafter referred to as 'threat actors'—targeted government entities and multiple U.S. critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors," the alert warned(here).
Russia has denied such hacking in the past.
Cyber-physical risk will only increase as more machines, from medical devices to fuel tankers, become connected to the “Internet of Things.”
Proprietary systems used by banks and other companies are also vulnerable; it is difficult to physically isolate, or “air gap,” these assets from public networks.
The failure to protect against these risks could leave companies exposed to liability claims from customers, bystanders and other third parties. Insured firms, however, cannot take for granted that their traditional coverage or even their cyber policies will cover all cyber risks.
When data-breach risk first emerged, insurers had not priced it into their broadly worded commercial general liability (CGL) policies. Many insurers reacted as they commonly do to emerging risk, such as terrorism after the 9/11 attacks. They simply excluded the risk from new standard policies and renewals.
Eventually, better risk price modeling allowed insurers to transfer the risk to new products (in this case, cyber policies) designed specifically to fill the gap, providing not only protection against third-party liability, but also related first-party network business interruption losses.
Standard cyber policies aim to avoid redundant coverage by excluding bodily injury and property damage liability. The thinking here is that these claims are already covered under traditional policies like CGL Coverage A, the standard form developed for the insurance industry by the Insurance Services Office (ISO).
The problem for insureds is that cyber policy exclusions may not dovetail with the coverage actually provided by Coverage A or other traditional policies. Over time, exclusions and lower sub-limits have crept into traditional policies that can leave many insureds with little or no coverage for cyber-induced physical losses, including losses that would have been fully covered had they not been induced by hacking.
CGL policies typically contain one of two ISO endorsements (revised in 2014) that stingy insurers could interpret to exclude cyber-physical risk. One endorsement excludes liability claims for property damage “arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” That endorsement maintains coverage for bodily injury claims. The other endorsement excludes claims for both bodily injury and property damage liability.
Insureds expect courts to interpret exclusions narrowly; otherwise they risk paying premiums for nothing. But the broad language could present problems for companies seeking coverage for cyber-physical risk. For example, many courts interpret “arising out of” to require only a broad (rather than a stricter proximate) causal connection between the injuries suffered and the specified cause, making no distinction between whether the language is contained in an insuring agreement or an exclusion.
Furthermore, “electronic data” is defined to include not only information, but also software and computer programs. Thus, insurers could argue that the language excludes property damage and/or bodily injury claims arising from a wide range of malicious hacking activities, and not just the theft of private information.
Insureds can try to negotiate better terms and conditions, but exclusions have a funny way of creeping upstream into reinsurance contracts. It might be economically unfeasible for primary insurers to make concessions. For example, marine insurance customers have had a tough time carving back a clause which excludes coverage for losses, including liability, arising from the use or operation of any computer hardware, software or system “as a means for inflicting harm.”
In the meantime, some insurers have tried to fill the gap by offering excess insurance that can cover cyber-physical losses beyond the limits or sublimits of the underlying CGL policy. But this works only if cyber-physical losses are not excluded in the first place. Another option is “difference in conditions” (DIC) coverage that “drops down” to cover liability claims that are subject to a cyber-physical exclusion in the underlying policy.
In guidance issued in December 2016, the U.S. Treasury Department confirmed that stand-alone cyber liability insurance policies classified as “cyber liability” (rather than professional errors and omissions liability) for state regulatory purposes are included in the Terrorism Risk Insurance Program (TRIP).
The program was authorized by the federal Terrorism Risk Insurance Act of 2002 (TRIA), as amended. Under the program, the federal government provides reinsurance for certified acts of terrorism that meet the specified loss thresholds.
In exchange, affected insurers (property and casualty insurers such as CGL insurers, but now also cyber liability insurers) must offer embedded coverage for losses induced by terrorism based on the same terms, amounts and other limitations applicable to losses already covered under their policies. But that’s not the same thing as requiring CGL or cyber insurers to extend terrorism coverage for losses like cyber-physical risk that they may have broadly excluded in the first place.
One condition for recovery under an embedded terrorism policy is U.S. government certification that the attack was made to coerce U.S. civilians or the U.S. government. Although there have been attacks within the United States attributed to supporters of international militant networks or ideologies, no such attacks have been certified under TRIP. High TRIP loss thresholds are also a factor.
If it’s difficult to certify physically-induced acts of terrorism, it will be even harder to allocate responsibility for cyber-induced terrorism where the motive and identity of the perpetrator are not clear.
Stand-alone terrorism policies offered outside the regulatory environment of the program can cover both certified and non-certified acts of terrorism, and typically with higher limits. The issue again is the difficulty in ascertaining the motive or identity of the hacker, which depending on the language of the policy, may preclude coverage under a stand-alone terrorism policy that requires a terrorism motive.
(Lawrence Hsieh is a senior legal editor for the Practical Law division of Thomson Reuters and author of the Corporate Transactions Handbook. The views expressed here are his own.)
This article was produced by Thomson Reuters Regulatory Intelligence and initially posted on Mar. 22. Regulatory Intelligence provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Regulatory Intelligence compliance news on Twitter: @thomsonreuters