Companies’ awareness of “cyber” risks has increased significantly because of large and highly publicized data security breaches, such as Target and Home Depot. Companies are starting to more proactively manage the risk of data security breaches by strengthening their IT defenses and, in many cases, buying cyber insurance. However, many do not realize that data security breaches are just the tip of the cyber-risk iceberg. Because nearly our entire economic system depends on electronic devices, machinery and infrastructure that is connected to the internet (i.e., the “Internet of Things”), the potential exists for much larger scale hacking attacks that could control, damage, destroy or shut down many of the systems on which we rely to conduct business. Some of this risk is covered by cyber insurance, but much of it is not. Proactive and effective “Enterprise Risk Management” will be vital to companies seeking to protect themselves against these growing risks. Businesses should carefully review their unique risk profiles, indemnity contracts and insurance policies (including their non-cyber “traditional” policies) to identify and mitigate their exposures.
We have all heard of the large scale attacks on Target, Home Depot and more recently, Ashley Madison. The news generated by these cyber attacks has contributed to the public’s increasing awareness of the large volumes and types of personal information that companies are holding about their customers. To protect themselves against some of the losses that such data security breaches may cause, many companies have prudently responded by buying “cyber insurance.”
But few realize that data security breaches are just the tip of the cyber-risk iceberg. While the storage of personal information on the internet has grown exponentially, so has the connectivity of pretty much all the electronic consumer products, corporate computing infrastructures and industrial machinery on which our economy relies. The enormous number of devices and machines that are connected to the internet do not just give hackers additional ways of gaining access to computer systems and the data they store – the Target hackers accessed the point-of-sale terminals via the company’s HVAC system. Hackers now have the ability to cause widespread physical and economic harm by shutting down or damaging critical systems.
A few lesser known recent events show the massive risks associated with the Internet of Things:
In late 2014, the German government quietly acknowledged the hacking attack of a German steel mill, in which hackers gained control of a smelting furnace and caused it to overheat, resulting in substantial damage to the furnace and interruption of the mill’s business.
“White-hat” hackers were recently able to remotely take partial control of cars (steering, braking and acceleration) while they were speeding down the highway.
The FDA and Department of Homeland Security recently recommended that hospitals across the nation stop using certain medical pumps because they rendered the hospital’s systems vulnerable to cyber security threats. There are a number of stories of parents discovering that their internet-connected baby monitors had been hacked, allowing third parties to control the monitors. One of these events was discovered when the parents heard someone yelling obscenities at their sleeping child, and noticed that the monitor’s video camera followed them round the room when they went to investigate.
Even household “smart” fridges have been known to be used as “bots” in the sending of spam email by remote hackers.
The bottom line is – if a device connects to the internet, it’s vulnerable. And so is the rest of the system connected to it. Insurance companies are taking notice.
Recently, Lloyd’s of London authored a report of potential consequences of a hypothetical attack on the electricity grid of the eastern United States. Lloyd’s calculated that losses to the economy could be as high as $2 trillion, with only about one quarter of that covered by insurance.
Insurance companies are beginning to realize that their “cyber” exposure is not limited to cyber insurance policies. It runs through their traditional lines of coverage, such as property, general liability and directors’ and officers’ liability insurance.
The exposures faced by organizations of all types are far-ranging. First-party losses can include stolen data, property damage (spoiled products, damaged hardware), business interruption (both direct and contingent) and reputational harm. Additionally, organizations face exposure to lawsuits from customers and business partners for lost data, property damage (both physical and loss of use), bodily injury, violation of privacy and consequential losses, including reputational harm. Directors and officers of organizations face the possibility of investigations and lawsuits for not anticipating and protecting their companies’ assets against these kinds of attacks.
Further, manufacturers and suppliers of even small components are finding themselves facing huge potential exposures. Imagine the violation of privacy claims facing a small start-up company whose baby monitors allowed hackers to scream at babies. Or the exposure of a manufacturer of a communications module in a large system which allowed hackers access to the databases holding Personally Identifiable Information (PII) and Protected Health Information (PHI) of the biggest retailers or health providers in the country.
Which insurance policies would cover which losses and liabilities is still, to a great degree, unclear. Cyber insurance policies are designed to provide some protection against first party losses resulting from a data security breach, such as response and investigation costs, fines and damaged computer hardware. They can also provide protection against third party liability risks from the theft of PII and PHI, and certain consequential losses.
But cyber insurance has limits. It may not cover first party property damage (other than to computer systems). Even if it does, only low sub-limits may be available. Additionally, while these policies can cover direct business interruption, they may not to cover contingent business interruption (interruption to your business caused by a disruption to a vendor’s business or supplier’s system (such as a credit card processor or internet provider). They likely will not cover the value of your IP that may have been stolen.
On the third party liability side, they will pay response costs and the defense of lawsuits against you from customers whose PII or PHI has been compromised. But they may not coverage IP infringement caused by you, or other losses of business information. And again, be aware of limits – defense costs are usually within limits, not in addition (as in the traditional CGL policy). They are also likely to have war and terrorism exclusions – which could eliminate coverage for state-sponsored attacks (such as the well-publicized attack on Sony Pictures in 2014).
Traditional property policies may provide some coverage. But these policies were designed decades ago, before the internet existed and before cyber attacks had been thought of. Currently, there is no cyber exclusion in the “special form” (all risk) standard policy. But since cyber attack is not a listed peril, there is no coverage in the named perils version of that form. The smaller ISO “Businessowners” policy now specifically includes some cyber coverage, but the limits available are only $10,000 to $100,000.
The coverage picture for the conventional CGL policy is also unclear. In Zurich American Ins. Co., et al. v. Sony Corp. of America (No. 651982/2011 (NY Sup. Ct., New York City)), the trial court determined there was no coverage under the personal and advertising injury section of a CGL policy for the theft of PII because there was no evidence the information had been “published.” Sony appealed, but the case settled before the appeal was heard. Other litigation over this issue has not produced a clearer picture. In 2014, the Insurance Services Office (ISO), which develops insurance policy forms that many insurers incorporate into their policies, developed a blanket data/personal information exclusion that insurers are now adding to policies. The use of this endorsement is likely to become more widespread as insurers try to push these risks out of CGL coverage and into a standalone cyber policy.
D&O policies may provide some coverage for third party claims alleging financial loss. These policies are non-standard (meaning that one insurer’s policy is different to the next). Therefore, policies should be reviewed very carefully. Finally, Technology Errors & Omissions policies, which are also non-standard, may provide some coverage for third party claims based on errors in products or services leading to a loss.
The bottom line is that every organization – for-profit, not-for-profit, governmental, medical or commercial – needs to review its exposures very carefully from an “Enterprise Risk Management” perspective. After understanding those exposures, it needs to review its risk transfer instruments – insurance policies and indemnity agreements – very carefully. A good broker is essential and the use of coverage counsel is often recommended in shaping an insurance program that best addresses each organization’s risks. Legal input can be helpful – indemnity agreements are only as good as the financial backing behind them and often run the “wrong way,” especially for small companies.
Finally, remember that what is covered today may not be covered tomorrow. The insurance landscape is changing quickly. The insurance industry is developing new products, but is also modifying its existing products so that risks not contemplated when the policies were drafted do not inadvertently fall within coverage. Review renewal policies just as carefully as new policies before buying them.