Potential Critical Coverage Issues
The FBI advised that the recent attack on Sony Pictures Entertainment (SPE) “destroyed systems” and “rendered thousands of SPE’s computers inoperable, forced SPE to take its entire computer network offline, and significantly disrupted the company’s business operations.” The FBI further expressed concern about “the destructive nature of this attack, coupled with its coercive nature.”
While very little information about the physical damage incurred by SPE has been released, cyber security experts are comparing the attack to the Stuxnet attack in 2010, when code was used to cause damage to “actual physical centrifuges.” The SPE attack was not limited to the theft of confidential and proprietary information, but appears to have caused actual physical damage. While we could all be excused for thinking that cyber warfare and attacks are limited to intangible harm to nebulous, ethereal data, the North Korean’s attack on SPE means that physically damaging cyber attacks, usually confined to James Bond movies, are very real.
Additionally, during the same week that the FBI released its determination about the SPE attack, Germany’s Federal Office for Information Security released a report about hackers breaking into a steel mill’s internal networks causing serious damage to a blast furnace. While most are aware of state-sponsored attacks against private companies, this was previously limited, at least in theory, to attacks against a company’s intangible assets. The SPE attack should act as a wake-up call for large and small businesses – cyber warfare includes attacks that can and will cause physical damage. As one cyber security expert warned, “the targeted attack is not a threat to just governments and large corporations and big brands … small businesses are also in danger.”
The Insurance Factor
The FBI’s determination will also reverberate throughout the insurance industry as insurers and brokers debate, review wordings, and address the latest development in cyber security and privacy concerns. SPE reportedly purchased $60 million in cyber insurance, but the FBI’s determination that the “North Korean government is responsible for these actions” raises critical coverage issues under cyber policies, general liability policies and property policies. Cyber policies usually contain government entity or public authority exclusions, which exclude coverage for threats made by any government entity or public authority or losses arising out of a government entity’s or public authority’s order. An issue raised is whether the attack on SPE was made by the North Korean government or by an outside group of hackers used by North Korea. That determination or lack thereof may have implications for the application of the exclusion. Additionally, the description of the SPE attack as mere “cyber vandalism” will also be part of any coverage discussion.
The physical nature of the damages caused by the SPE attack and the attack on the German steel mill also raises questions about coverage under a standard insurance portfolio. While debate about whether cyber crisis events result in actual physical damage or loss has continued for years, the SPE and German steel mill attacks establish that certain cyber attacks can result in direct physical loss or property damage. As the coverage threshold inquiry raised under property and general liability policies is no longer in doubt under such circumstances, new questions about coverage for certain cyber events will be raised. The wordings involved with interruption of computer operations coverage and even civil authority coverage under property policies will have to be reviewed in light of the issues raised by physically destructive cyber attacks. Additionally, whether the wordings of war, terrorism, electronic data and cyber attack exclusions would apply in such circumstances will also have to be addressed.
In addition, the SPE attack raises concerns about Congress’s failure to extend the Terrorism Risk Insurance Act (TRIA). Based on the physical damage caused to SPE and in light of the coercive threats against theaters and the surrounding communities regarding the release of SPE’s movie, the failure to extend TRIA raises considerable concerns for businesses and the insurance industry.
Some commentators think that the new Congress may enact legislation early in 2015, retroactively restoring the law. In the interim, however, the lapsing of TRIA will likely have a disruptive and destabilizing effect on businesses and the insurance industry. In such an environment, policyholders will likely be scrambling to purchase coverage from nontraditional sources. As for insurers, they may (a) cease writing terrorism coverage altogether, (b) provide such coverage – but at a higher premium, or (c) look for alternative “backstops” among reinsurers and/or the capital markets.
The SPE and German steel mill cyber attacks raise new and significant concerns for businesses and their brokers and insurers. As cyber security experts believe that all businesses share concerns, industry experts must work with brokers and insurers to develop comprehensive solutions to the dangers raised by physically destructive cyber attacks. Current solutions and the absence of TRIA mean that businesses and the insurance industry must review insurance portfolios and wordings to understand the potential gaps involved with physically destructive cyber attacks.