EMERGING CYBER RISK CYBER ATTACKS AND PROPERTY DAMAGE: WILL INSURANCE RESPOND?

Transcription

1 EMERGING CYBER RISK CYBER ATTACKS AND PROPERTY DAMAGE: WILL INSURANCE RESPOND?

2 ABOUT JLT SPECIALTY JLT Specialty Insurance Services is the U.S. platform of JLT Group, the leading specialty business adivsory firm. Our client proposition is built upon our specialist knowledge, client advocacy, tailored advice, and service excellence. Our culture reinforces the value of our people with teamwork and collaboration. Together, we place our clients first, champion independent thinking, and expect to be judged on the results we deliver. ABOUT C/EO A key component of JLT Specialty s recent expansion of its U.S. operations has been the formation of the Cyber and Errors & Omissions Practice (C/EO), a team of motivated and skilled people who bring a wealth of experience in complex cyber and E&O placements, and a proven record of success in working with clients of all sizes. We are committed to growing a specialty business in the U.S. market and are aligned with JLT Groups client-first culture and entrepreneurial drive. We pride ourselves on a pragmatic approach that leverages the Cyber and E&O practitioners deep industry and product knowledge. This starts with an interactive exposure identification and priority discussion. We then transform this discussion into a risk transfer solution strategy, including proposed coverages, insurer partners, and execution timeline.

3 Emerging Cyber Risk: Cyber Attacks & Property Damage Will Insurance Respond? 3 FROM THE ELECTRICAL GRID TO FINANCIAL NETWORKS TO THE WATER SUPPLY CYBER ATTACKS AND PROPERTY DAMAGE WILL INSURANCE RESPOND? Many in the cyber security world are referring to 2014 as yet another Year of the Breach with high profile events occurring at Target, Staples, Home Depot, Sony, and Anthem, among others. These incidents all demonstrated the ongoing ability of hackers to infiltrate security systems (no matter how strong) and highlighted the massive costs and disruptions that result from a cyber security incident in which data is stolen. While cyber attacks continue to be a significant exposure for retailers, healthcare companies, and financial institutions (all of whom have large amounts of personally identifiable information), these companies do have the ability to transfer this risk via cyber insurance policies. Though much of the media focus has been on breaches of private records and information, other industries like manufacturing, energy, and utilities are also at risk from cyber attacks. These industries have long been networked through industrial control systems ( ICS ), like SCADA, that monitor and control industrial processes. These open systems now tie together once decentralized facilities; the system were primarily designed for ease of operation and repair security of these systems was a secondary consideration at best. The loss of data and associated economic damages are of minor concern to these industries; their far larger concern is a cyber attack on their ICS that leads to first party damage to physical property. We now know of two major cyber attacks on physical systems that have resulted in destruction or damage to equipment or property (there are unconfirmed reports of more). The 2010 Stuxnet attack on Iranian control systems allegedly carried out by the U.S. and/or Israeli governments is known to have sabotaged centrifuges at a uranium enrichment facility. More recently and perhaps more troubling because of the unknown identity of the perpetrator is the late 2014 attack on a German steel mill. German authorities reported that hackers attacked a ThyssenKrupp plant and disrupted its control systems in a manner that prevented a blast furnace from being shut down. The report does not specify the physical damage, but calls it massive. Similar ICS manage critical operations affecting key infrastructure The far larger concern of these industries is a cyber attack on their industrial control systems (ICS) that leads to first party damage to physical property.

4 4 Emerging Cyber Risk: Cyber Attacks & Property Damage Will Insurance Respond? German authorities reported that hackers attacked the plant and disrupted its control systems in a manner that prevented a blast furnace from being shut down. The report does not specify the physical damage, but calls it massive. throughout the world from the electrical grid to financial networks to the water supply and the harm caused by a cyber attack on systems in these industries could be catastrophic. From an insurance perspective, the news is not as encouraging when compared to data breaches. The insurance industry does understand that better solutions are needed; insurers in both the property and cyber markets are beginning, albeit slowly, to address the issue. The genesis of most cyber policies was third party loss scenarios for events like passing along a computer virus or harm caused by any sort of network breach. The goal was to cover a company for the liability it incurred due to a cyber event rather than its own losses. First party coverage was also available for loss of intangible property (data or software, but never hardware) and for loss of income or extra expense due to a cyber attack that shut down a network. But the waiting periods were long, triggers and loss calculations difficult, and coverage was often sublimited. Over time, sublimits eased but scenarios where networks were down long enough for insureds to show losses remained rare. As data breaches became the driving issue for cyber placements, first party coverages for breach response and reimbursement of regulatory fines and penalties were added so that both the insured s costs and the third party damages were covered. As mentioned above, these policies are performing very well through established claim payments. But, like most E&O policies, property damage and bodily injury claims are excluded, and claims for damage to the insureds hardware or any other tangible property of the insured or others are not covered. Coverage for first party business interruption losses due to a security failure has also improved, but long waiting periods remain common. The cyber marketplace is slowly beginning to address first party physical property damage caused by cyber events, but coverage is limited and untested. AIG, through their CyberEdge PC product, has attempted to address the issue here in the U.S. This policy offers coverage on an excess and difference-in-conditions basis. It addresses coverage gaps in other policies (e.g., property, casualty, energy, aerospace, environmental, terrorism, etc.), where cyber-related exposures may be excluded or where coverage is limited. To the extent the underlying policy fails to respond to a property damage claim resulting from a cyber event, the CyberEdge policy would drop down to respond. To date, few policies have been written, but the product merits consideration. In London, a handful of carriers (including From the electrical grid to financial networks to the water supply, the harm caused by a cyber attack on systems in these industries could be catastrophic.

5 Emerging Cyber Risk: Cyber Attacks & Property Damage Will Insurance Respond? 5 The cyber marketplace is slowly beginning to address first party physical property damage caused by cyber events, but coverage is limited and untested. Aegis and Brit) offer various coverages to address this risk, but the underwriting has been focused in the property space; premium and program structure (significant retentions) have been inhibitors to buying coverage. Brit, in particular, has created a stand-alone product that affirmatively offers coverage for the first party property damage and, through a consortium, can offer up to $350M in coverage. Acceptance and adoption will take time, and to date standalone options have yet to gain traction, but such offerings indicate that an evolution in coverage has begun. The other avenue for coverage is traditional property policies. However, some carriers offer named peril policies (more common for smaller companies) that are designed to respond to covered causes of loss and perils, (e.g., fire, lightning, explosions, flood). Cyber events have not been included in these lists and they are unlikely to be added. Larger companies usually purchase all risk policies that eliminate this issue. But on these policies, the trends are mixed. For many industries, a number of leading property carriers fully intend to cover property damage that results from a cyber attack. For example, should a hacker attack an industrial system, prevent a machine from shutting down, and cause it to overheat and start a fire, these polices would respond to the property damage caused by said fire. Though their language is often less than definitive, these carriers confirm that their policies cover loss from a fire regardless of the cause. However, other markets, with similarly vague language, state that they are not covering this risk. Whether due to limited cyber underwriting expertise, fear of aggregation issues, reinsurance concerns, or all of the above, they are unwilling to provide coverage for property damages as envisioned in the fire example above. These carriers limit damages to electronic data or software and not tangible property, and are increasingly specifically barring coverage by exclusion or carveback, with this practice more prevalent in certain industries. Energy companies, in particular, face unique challenges in this marketplace. For example, the Institute Cyber Attack Exclusion Clause CL380 is a well-established endorsement barring coverage for cyber events and is especially common in the energy industry. Recently, some markets in London have been willing to carve back or agree to a limited buy back on this exclusion, but acceptance remains uneven and sporadic. Certain Bermuda insurers are also beginning to offer property damage coverage arising out of cyber events, but overall capacity and interest is limited. For terrorism coverage to be triggered, the US government must certify the act as terrorism. With no historical experience to rely upon, it is unclear how this will work in practice.

6 6 Emerging Cyber Risk: Cyber Attacks & Property Damage Will Insurance Respond? Finally, depending upon the nature of the attack, terrorism coverage could provide cover for property damage, even if the underlying property policy did not contemplate cyber triggers. For terrorism coverage to be triggered, the U.S. government must certify the act as terrorism. With no historical experience to rely upon, it is unclear how this will work in practice. The recent Sony attack has been blamed by some on terrorism, but there are mixed views as to who was really involved. As evidenced by the Sony event, disagreements are to be expected and, especially for cyber events, the government may be reluctant or unable to certify a terrorist act, making legal disputes likely. Enterprise-wide cyber activity and cyber losses are increasingly broader than the loss of data, and companies in all industries should review their exposures and consider insurance solutions to mitigate or transfer their particular risks. Our view is that, ultimately, this risk belongs in property policies but much work remains to be done as carrier views on these risks and coverages remain in flux. On privacy risks, the maturing cyber insurance marketplace has seen significant improvements in coverage over the past few years. With the omnipresent cyber threat expanding, we expect insurance coverage in the cyber arena to continue to evolve to solve our clients concerns around property loss as well. Steve Bridges Senior Vice President Cyber and E&O Practice Steve.Bridges@jltus.com JLT Specialty Insurance Services Inc. 300 S. Wacker Dr., 24th Floor Chicago, IL JLT Specialty s Cyber and E&O Practice (C/EO) is a talented team of people who bring a wealth of experience in complex cyber and E&O placements and a proven record of success working with clients of all sizes. At the forefront of developments and trends related to risk, coverage, and claims, we utilize our knowledge and experience to design innovative and market-leading coverage and positive claim results for our clients.