WSG Article: Perspectives: Today's Digital Risks Require Broad Cyber Insurance Coverage

Hunton Andrews Kurth LLP
April 27, 2014 - Virginia

Perspectives: Today's Digital Risks Require Broad Cyber Insurance Coverage
by Lon Berk

On the market since the late 1990s, cyber insurance is nothing new. But as the Internet spreads deeper into people's lives, cyber risks continue to grow and evolve well past simple data loss or compromise. Insurance buyers should try to find an insurance form to address their specific cyber needs, including the potential of business interruption, loss of reputation, and even bodily injury and property damage, says attorney Lon Berk, a partner advising clients on cyber insurance procurement and recovery at Hunton & Williams L.L.P.

The hacking of retailer point-of-sale systems has made clear cyber risk exposures can be enormous. With good reason, such incidents have increased the attention on and demand for cyber insurance. But insurance buyers need to beware not only of cyber risk, but also of buying insurance policies that do not address their particular exposures.

Although on the market for about 20 years, there is no one cyber insurance form. Many cyber risks fall outside the usual cyber policies, and companies should work to be sure their risks fall within the purchased form.

The public focus has been on protecting against data loss. Most cyber policies do a solid job of protecting against data loss exposures. They typically provide coverage for the costs of identifying and notifying consumers, of providing credit-monitoring services, of forensic analysis and legal fees, and of the costs of defending against consumer and regulatory claims arising from the breach. But many — though not all — cyber policies restrict coverage to such exposures, providing little or no coverage for a victim's business interruption or loss of reputation. Perhaps more seriously, virtually all cyber policies exclude coverage for bodily injury and property damage.

The importance of securing proper coverage for a data breach should not be minimized. But data loss is not the only cyber risk, and insureds need coverage for these other risks, too.

The need for broader cyber insurance is acute in the energy sector. Companies in that industry may handle a huge amount of data about customers and energy usage. They also may control critical infrastructure, including portions of the electric grid, pipelines and refineries, all of which are subject to cyber exposure. Indeed, Lloyd's of London has reportedly refused to sell some of these companies cyber insurance, apparently taking the position that energy infrastructure is too insecure to insure.

Much of this infrastructure is operated through supervisory control and data acquisition systems (SCADA), a geographically expansive private network that monitors data regarding system operations. This network combines telemetry, data acquisition and control systems to automate industrial operations. In its most simplified version, it consists of a central operating unit networked to a series of scattered regional units that monitor input and execute operational commands.

There had been a belief that this kind of network is not part of the Internet and is therefore immune from cyber attack. That belief was inaccurate. Components of the network often are connected to the Internet and, as such, can be subjected to malicious code and other cyber attacks. Researchers using a search engine SHODAN that permits identification of connected network components, have identified thousands, if not millions, of components of these systems on the Internet.

Even if a component is not directly connected to the Internet, the systems often share components with other systems that are connected. For example, a company may share a router with its email server and SCADA system and, while the latter may be unable to receive and send emails through that router, a compromise of the router through the email server can compromise the SCADA. Additionally, malicious code can be and has been uploaded directly onto infrastructure components through USB devices and computers used to program and/or update network software. SCADA components often communicate wirelessly and can be subjected to man-in-the-middle attacks, as can any device on a wireless network.

There have been known cyber attacks on industrial control systems. The Stuxnet malware is the best-known example. It infected files and eventually resulted in the destruction of 1,000 fuel centrifuges inside Iran's uranium fuel enrichment program. Similar malware, apparently based upon the Stuxnet code, has been found in energy companies' systems as well. Other malware has been discovered in an electric utility's turbine control system that affected computers on the control system network. And the FBI cyber division reported that infrastructure network systems in three cities had been compromised.

In short, these networks are subject to the range of cyber risks, malware, denial-of-service attacks and other dangers — as are all systems connected to the Internet.

It is not hard to conjure vast property and personal injuries resulting from a cyber attack on SCADA — a “cyberscadageddon.” Electric grids might be shut down through denial-of-service attacks, and fuel might be diverted from delivery to refineries. A recently leaked Federal Energy Regulatory Commission report suggests that the U.S. could suffer a coast-to-coast blackout, if just nine of the country's 55,000 electric-transmission substations were knocked out. How many of those substations could be taken down by a Stuxnet-like code is unknown.

Such risks are, moreover, likely to increase. More and more ordinary items are being manufactured with embedded processors and connected to the Internet. As this so-called “Internet of Things” grows, the risk of data loss may be dwarfed by other cyber events.

Already, there have been apparent cyber attacks using this “Internet of Things.'' One security provider, Proofpoint Inc., uncovered “smart” appliances, including refrigerators and televisions, used to further malicious activities. And it was recently reported that an advanced electric car can be hacked. As more “ordinary devices” incorporate processors and are connected to the Internet, the risk of a security event extends beyond loss of data to injury to persons and property.

Unfortunately, most cyber insurance does not protect against such infrastructure risks. Many, if not all, cyber insurance policies have exclusions for bodily injury and property damage. Others define coverage so narrowly that sound arguments can be made that bodily injury or property damage caused by cyber attacks on networks are outside the scope of coverage.

Moreover, at the same time insurers are issuing these narrow cyber policies, they also are attempting to limit the coverage provided for cyber risks under traditional property and liability policies. For example, the Insurance Services Office Inc. is proposing certain exclusions be incorporated into traditional property and liability policies. These exclusions, although apparently intended to bar coverage for claims relating to loss of personally identifiable information, such as those recently suffered by retailers, could be read more broadly by insurer advocates seeking to limit coverage.

One exclusion bars coverage for injuries resulting from “loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.” In high-stakes disputes involving coverage for property damage or bodily injury resulting from a cyber attack on a private network, an aggressive insurer advocate might contend these exclusions apply.

A final problem with obtaining cyber coverage for infrastructure is the terrorism exclusion. Many cyber attacks on infrastructure are performed by “hacktivists” or organizations affiliated with nation-states. Researchers from the Massachusetts Institute of Technology set up a phony private network utility system online and were able to determine it was hacked by groups affiliated with the People's Republic of China. Some terrorism exclusions are so broadly written they might be read to exclude coverage for cyber attacks politically motivated and performed by or in the name of nation-states, even if there is no physical attack. Such exclusions, if given broad interpretations by courts, could eliminate much coverage for critical infrastructure, creating another potential gap in cyber insurance.

There are brokers and insurers working to fill these gaps in cyber insurance and to provide coverage for nondata losses that may result from a cyber attack. One broker has a product providing protection for attacks on networks not only for data loss, but also for damage to components. An insurer recently announced coverage that might extend to bodily injury.

Cyber security is not merely to protect data. Especially when infrastructure is at issue, cyber security involves the protection of lives and property, too. Firms buying cyber insurance need to be sure they have protection against the full risk of a cyber attack and not limit their protection to lost or publicized data.