In late 2014, it was revealed that a German steel mill sustained significant damage after a cyber attack. The story started as so many involving cyber attacks do. In a spear-phishing attack, the cyber criminal tricked individuals in the organization into clicking a link in an email. Those clicks led to implanted malware that allowed the hackers to obtain login names and passwords that were used to infiltrate the network and, ultimately, the system that controlled the plant's equipment.
Because of the attack, operators at the plant were unable to shut down a blast furnace in the proper manner, causing massive damage to the furnace. Although the name of the plant and the amount of damage were not disclosed in the report of the incident by Germany's Federal Office for Information Security, it is a good example of how a cyber event can cause first-party property damage. 1
There was a time when a business such as the steel mill would have looked to its property policy for coverage and had success, even without an affirmative grant of coverage for losses like this. Many property policies written on an open perils basis neither specifically provided coverage for loss due to cyber events nor actively and effectively excluded such losses. This set the stage for claims to be covered under what is often referred to as "non-affirmative cyber" or "silent cyber" coverage. "Silent cyber" applies when the policy in question does not specifically address coverage for damage caused by a cyber event or does so in a way that creates ambiguity. However, the days of "silent cyber" coverage in most property policies are over.
An alarm was sounded in 2016 by Prudential Regulation Authority (PRA) in a letter to UK insurers. 2 The PRA, a subsidiary of the Bank of England, is responsible for, among other things, prudential regulation and supervision of insurers. PRA advised that the "silent cyber" risk is material and that the "silent cyber" loss potential will increase over time. PRA opined that "action is required across the non-life sector to mitigate the risks."
In an attempt to bring clarity as to whether coverage is provided for losses caused by a cyber event, Lloyd's of London mandated that, starting with policies effective January 1, 2020, all first-party property policies "must contain policy language which is explicit as to whether coverage exists or is excluded in respect of losses caused by cyber risks." In later phases of the Lloyd's mandate, similar clarity became a requirement in other insurance contracts. 3
In a move that affects many more insurers, Insurance Services Office, Inc. (ISO), in 2020, introduced two mandatory endorsements, one of which is to be attached to all commercial property policies.
The Cyber Incident Exclusion (CP 10 75 12 20) endorsement adds an additional exclusion that affects both direct damage and business income/extra expense coverage. Due to the inclusion of anticoncurrent causation language, loss or damage is excluded regardless of any other cause or event that contributes concurrently or in any sequence to the loss.
With this endorsement, there is no coverage for loss caused directly or indirectly by a cyber incident, which is defined to include:
- Unauthorized access to or use of any computer system (including electronic data).
- Malicious code, virus or any other harmful code that is directed at, enacted upon or introduced into any computer system (including electronic data) and is designed to access, alter, corrupt, damage, delete, destroy, disrupt, encrypt, exploit, use or prevent or restrict access to or the use of any part of any computer system (including electronic data) or otherwise disrupt its normal functioning or operation.
- Denial of service attack which disrupts, prevents or restricts access to or use of any computer system, or otherwise disrupts its normal functioning or operation.
The exclusion does not apply to the extent coverage is provided by the electronic data or interruption of computer operations additional coverages, both of which include a computer virus as a covered cause of loss. The included amounts for these additional coverages are small in the ISO forms, with a $2,500 annual aggregate limit for each, so this exception does not have a significant impact in most cases. Aside from this exception, when this endorsement is added, the only coverage that applies for loss involving a cyber incident is for loss or damage caused by fire or explosion that results from the cyber incident.
The Cyber Incident Exclusion with Ensuing Cause(s) of Loss Exceptions (CP 10 76 12 20) endorsement is a less commonly used endorsement. It differs from the Cyber Incident Exclusion in that it allows a specified limit of coverage per occurrence to apply for direct damage, business income, and/or extra expense losses if the cyber incident results in a covered cause of loss. In the case of a policy written with Causes of Loss—Special Form (CP 10 30 09 17), the loss or damage must be by "specified causes of loss" 4 or theft. The limit on the endorsement may be less than or equal to the policy limits and may be subject to an annual aggregate. Full policy limits continue to apply if the resultant damage is by fire or explosion.
What is the answer for insureds who are seeing their property policies being stripped of coverage for loss due to cyber events? There are a few possible solutions.
For many insureds, adding affirmative coverage is not likely to be an option in their existing property policies. More property insurers are trying to actively exclude cyber exposures rather than cover them. For insureds with significant values at risk, though, this is a possibility worth exploring.
Even with a property policy that specifically intends to provide coverage for damage resulting from a cyber event, one must carefully analyze coverage for cyber warfare. A case in point involves Merck & Co., Inc., a global pharmaceutical company headquartered in New Jersey. In June 2017, Merck suffered significant losses due to NotPetya malware. Although a Ukrainian accounting software company was the initial target of this cyber attack by a group of Russian GRU agents, businesses around the world that used the software were ultimately affected. About 40,000 Merck computers were infected, and Merck's production facilities and other operations were shut down. Merck claimed $1.4 billion in damages.
Merck's insurance program involved 26 policies and multiple insurers, with total limits of $1.75 billion dollars in excess of a $150 million deductible. The coverage grant under the Merck policies was broader than most, specifically stating that "physical loss or damage shall include any destruction, distortion or corruption of any computer data, coding, program or software." The policies also provided coverage for business income and extra expense "directly resulting from the failure of the Insured's Electronic Data Processing Equipment or Media to operate, provided such failure is the direct result of a malicious act directed at the Named Insured."
Merck's insurers denied coverage, citing the policies' exclusion for "loss or damage caused by hostile or warlike action in time of peace or war." In May 2023, the Superior Court of New Jersey upheld a state trial court's decision that coverage applied to damages resulting from NotPetya. 5 The court ruled that the hostile or warlike action exclusion did not preclude coverage, stating:
… the NotPetya attack is not sufficiently linked to a military action or objective as it was a non-military cyberattack against an accounting software provider...the Insurers did not demonstrate the exclusion applied under the circumstances of this case, namely, that this cyberattack was a 'hostile' or 'warlike' action as contemplated under the exclusion.
In January 2024, before the New Jersey Supreme Court could rule on the case, Merck settled with insurers for an undisclosed sum.
It is too soon to know how other courts may respond to similar coverage questions involving war exclusions. Any type of war exclusion should be carefully reviewed to determine, to the extent one can, how coverage may apply in the event of an attack that could be considered cyber warfare. This advice applies regardless of the type of policy used to cover damage that arises from a cyber event.
For some insureds, an equipment breakdown policy may offer needed coverage after a cyber event. To be clear, most equipment breakdown forms do not intend to cover damage that occurs, for example, when malware is introduced into a system. ISO's Equipment Breakdown Protection Coverage Form (EB 00 20 01 13), for example, covers "breakdown" to "covered equipment." "Breakdown" is defined as:
… the following direct physical loss that causes damage to "Covered Equipment" and necessitates its repair or replacement:
- (1) Failure of equipment; pressure or vacuum
- (2) Mechanical failure including rupture or bursting caused by centrifugal force; or
- (3) Electrical failure including arcing;
unless such loss or damage is otherwise excluded within this Coverage Form.
Source: Insurance Services Office, Inc., Equipment Breakdown Protection Coverage Form (EB 00 20 01 13), © 2011
In addition, the Equipment Breakdown Protection Coverage Form (EB 00 20 01 13) specifically states that "breakdown" does not include "defects, erasures, errors, limitations or viruses in computer equipment and programs including the inability to recognize and process any date or time or provide instructions to 'Covered Equipment.'"
The final blow to coverage under the ISO form is that a Cyber Incident Exclusion (EB 10 01 06 21) has likely been added. Much like the Cyber Incident Exclusion added to property policies and described above, this mandatory endorsement removes coverage for any loss or damage caused directly or indirectly by a cyber incident.
To provide equipment breakdown coverage, many insurers use ISO forms or proprietary forms with coverage features similar to the ISO form. There are more robust forms, though, designed to provide broader coverage for computerized equipment. These forms could provide coverage for damage to equipment that happens during a cyber event.
Hartford Steam Boiler Inspection and Insurance Company (HSB), for example, has a form that can be written to provide coverage for loss due to electronic circuitry impairment in addition to the traditional equipment breakdown perils. Pertinent language from that form includes:
15. "Electronic Circuitry Impairment"
- a. "Electronic circuitry impairment" means a fortuitous event involving "electronic circuitry" within "covered equipment" that causes the "covered equipment" to suddenly lose its ability to function as it had been functioning immediately before such event...
14. "Electronic circuitry" means microelectronic components, including but not limited to circuit boards, integrated circuits, computer chips and disk drives."
10. "Covered Equipment"
- a. "Covered equipment" means the following:
- (1) Unless specified otherwise in the Declarations:
- (a) Equipment that generates, transmits or utilizes energy, including electronic communications and data processing equipment; or
- (b) Equipment which, during normal usage, operates under vacuum or pressure, other than the weight of its contents
- "Covered equipment" may utilize conventional design and technology or new or newly commercialized design and technology.
Source: The Hartford Steam Boiler Inspection and Insurance Company, HSB TechAdvantage™ Equipment Breakdown Coverage Form, TEC150 07/2015, © 2015
With language such as this, coverage may apply when a hacker causes damage to equipment during a cyber attack or when a computer virus is introduced into the system. With a covered peril, coverage would apply to direct damage and business income/extra expense losses.
When most businesses and insurance practitioners think of first-party cyber coverage, they think of nonphysical losses. Coverages that first come to mind are for breach response, cyber extortion, data restoration, and business interruption when data is corrupted or systems are unavailable.
Many cyber insurers offer coverage for computer replacement, also known as bricking. If a computer system is permanently damaged by malware, for example, it is said to be "bricked"—the hardware has essentially become unusable, a brick. Bricking coverage pays the cost to replace the computer system.
Even without the addition of cyber-incident exclusions to a property policy, a property policy may not cover a loss involving "bricked" hardware. Property coverage applies to direct physical loss of or damage to property. And, while some courts have ruled that a loss of functionality constitutes physical damage, many have relied on the traditional understanding of "physical," requiring some physical alteration of the property. 6 "Bricking" a device by changing its firmware may not satisfy this coverage trigger.
In determining whether bricking coverage is adequate for an insured's needs, it is particularly important to understand what property could be damaged in a cyber event and to what property the bricking coverage applies. Coverage under most forms applies only to items considered part of the insured's computer system. Going back to the German steel mill, bricking coverage would not help with damage to the blast furnace.
Many cyber policies now include first-party property damage coverage that extends beyond bricking. The form may cover, for example, damage to any tangible property resulting from a cyber event. Coverage, when it applies, is often subject to a sublimit and may not fill all of the gaps created when cyber coverage is removed from a property policy. The need for a careful review of the coverage terms cannot be overemphasized.
Lastly, recall the previous advice regarding coverage for cyber warfare. Cyber policies are not immune to coverage issues resulting from war exclusions, and policy language varies widely here as well.
As more equipment becomes controlled by computers and connected to networks, the exposure for property damage due to a cyber event grows. Increasingly, property policies are specifically excluding or limiting coverage for this exposure for both direct damage and business income/extra expense losses. Solutions may be available from some property insurers, equipment breakdown insurers, and cyber insurers.
When crafting a solution for a particular business, it is important to ensure that all policy language is thoroughly reviewed in an attempt to minimize gaps and overlaps. And, in cases where overlap is present, it is important to make certain that policies' other insurance clauses express the intended priority of coverage.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.