Perspectives: Today's Digital Risks Require Broad Cyber Insurance Coverage
On
the market since the late 1990s, cyber insurance is nothing new. But as the
Internet spreads deeper into people's lives, cyber risks continue to grow and
evolve well past simple data loss or compromise. Insurance buyers should try to
find an insurance form to address their specific cyber needs, including the
potential of business interruption, loss of reputation, and even bodily injury
and property damage, says attorney Lon Berk, a partner advising clients on
cyber insurance procurement and recovery at Hunton & Williams L.L.P.
The
hacking of retailer point-of-sale systems has made clear cyber risk exposures
can be enormous. With good reason, such incidents have increased the attention
on and demand for cyber insurance. But insurance buyers need to beware not only
of cyber risk, but also of buying insurance policies that do not address their
particular exposures.
Although on the market for about 20 years, there is no one cyber insurance form. Many cyber risks fall outside the usual cyber policies, and companies should work to be sure their risks fall within the purchased form.
The
public focus has been on protecting against data loss. Most cyber policies do a
solid job of protecting against data loss exposures. They typically provide
coverage for the costs of identifying and notifying consumers, of providing
credit-monitoring services, of forensic analysis and legal fees, and of the
costs of defending against consumer and regulatory claims arising from the
breach. But many — though not all — cyber policies restrict coverage to such
exposures, providing little or no coverage for a victim's business interruption
or loss of reputation. Perhaps more seriously, virtually all cyber policies
exclude coverage for bodily injury and property damage.
The
importance of securing proper coverage for a data breach should not be
minimized. But data loss is not the only cyber risk, and insureds need coverage
for these other risks, too.
The
need for broader cyber insurance is acute in the energy sector. Companies in
that industry may handle a huge amount of data about customers and energy
usage. They also may control critical infrastructure, including portions of the
electric grid, pipelines and refineries, all of which are subject to cyber
exposure. Indeed, Lloyd's of London has reportedly refused to sell some of
these companies cyber insurance, apparently taking the position that energy
infrastructure is too insecure to insure.
Much
of this infrastructure is operated through supervisory control and data
acquisition systems (SCADA), a geographically expansive private network that
monitors data regarding system operations. This network combines telemetry,
data acquisition and control systems to automate industrial operations. In its
most simplified version, it consists of a central operating unit networked to a
series of scattered regional units that monitor input and execute operational
commands.
There
had been a belief that this kind of network is not part of the Internet and is
therefore immune from cyber attack. That belief was inaccurate. Components of
the network often are connected to the Internet and, as such, can be subjected
to malicious code and other cyber attacks. Researchers using a search engine
SHODAN that permits identification of connected network components, have
identified thousands, if not millions, of components of these systems on the
Internet.
Even
if a component is not directly connected to the Internet, the systems often
share components with other systems that are connected. For example, a company
may share a router with its email server and SCADA system and, while the latter
may be unable to receive and send emails through that router, a compromise of
the router through the email server can compromise the SCADA. Additionally,
malicious code can be and has been uploaded directly onto infrastructure
components through USB devices and computers used to program and/or update
network software. SCADA components often communicate wirelessly and can be
subjected to man-in-the-middle attacks, as can any device on a wireless
network.
There
have been known cyber attacks on industrial control systems. The Stuxnet
malware is the best-known example. It infected files and eventually resulted in
the destruction of 1,000 fuel centrifuges inside Iran's uranium fuel enrichment
program. Similar malware, apparently based upon the Stuxnet code, has been
found in energy companies' systems as well. Other malware has been discovered
in an electric utility's turbine control system that affected computers on the
control system network. And the FBI cyber division reported that infrastructure
network systems in three cities had been compromised.
In
short, these networks are subject to the range of cyber risks, malware,
denial-of-service attacks and other dangers — as are all systems connected to
the Internet.
It
is not hard to conjure vast property and personal injuries resulting from a
cyber attack on SCADA — a “cyberscadageddon.” Electric grids might be shut down
through denial-of-service attacks, and fuel might be diverted from delivery to
refineries. A recently leaked Federal Energy Regulatory Commission report
suggests that the U.S. could suffer a coast-to-coast blackout, if just nine of
the country's 55,000 electric-transmission substations were knocked out. How
many of those substations could be taken down by a Stuxnet-like code is
unknown.
Such
risks are, moreover, likely to increase. More and more ordinary items are being
manufactured with embedded processors and connected to the Internet. As this
so-called “Internet of Things” grows, the risk of data loss may be dwarfed by
other cyber events.
Already,
there have been apparent cyber attacks using this “Internet of Things.'' One
security provider, Proofpoint Inc., uncovered “smart” appliances, including
refrigerators and televisions, used to further malicious activities. And it was
recently reported that an advanced electric car can be hacked. As more
“ordinary devices” incorporate processors and are connected to the Internet,
the risk of a security event extends beyond loss of data to injury to persons and
property.
Unfortunately,
most cyber insurance does not protect against such infrastructure risks. Many,
if not all, cyber insurance policies have exclusions for bodily injury and
property damage. Others define coverage so narrowly that sound arguments can be
made that bodily injury or property damage caused by cyber attacks on networks
are outside the scope of coverage.
Moreover,
at the same time insurers are issuing these narrow cyber policies, they also
are attempting to limit the coverage provided for cyber risks under traditional
property and liability policies. For example, the Insurance Services Office
Inc. is proposing certain exclusions be incorporated into traditional property
and liability policies. These exclusions, although apparently intended to bar
coverage for claims relating to loss of personally identifiable information,
such as those recently suffered by retailers, could be read more broadly by
insurer advocates seeking to limit coverage.
One
exclusion bars coverage for injuries resulting from “loss of, loss of use of,
damage to, corruption of, inability to access or inability to manipulate
electronic data.” In high-stakes disputes involving coverage for property
damage or bodily injury resulting from a cyber attack on a private network, an
aggressive insurer advocate might contend these exclusions apply.
A
final problem with obtaining cyber coverage for infrastructure is the terrorism
exclusion. Many cyber attacks on infrastructure are performed by “hacktivists”
or organizations affiliated with nation-states. Researchers from the
Massachusetts Institute of Technology set up a phony private network utility
system online and were able to determine it was hacked by groups affiliated
with the People's Republic of China. Some terrorism exclusions are so broadly
written they might be read to exclude coverage for cyber attacks politically
motivated and performed by or in the name of nation-states, even if there is no
physical attack. Such exclusions, if given broad interpretations by courts, could
eliminate much coverage for critical infrastructure, creating another potential
gap in cyber insurance.
There
are brokers and insurers working to fill these gaps in cyber insurance and to
provide coverage for nondata losses that may result from a cyber attack. One
broker has a product providing protection for attacks on networks not only for
data loss, but also for damage to components. An insurer recently announced
coverage that might extend to bodily injury.
Cyber security is not merely to protect data. Especially when infrastructure is at issue, cyber security involves the protection of lives and property, too. Firms buying cyber insurance need to be sure they have protection against the full risk of a cyber attack and not limit their protection to lost or publicized data.