Another Cyber-Risk: Hacks That Cause Property Damage and Interrupt Business Processes

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.natlawreview.com/article/another-cyber-risk-hacks-cause-property-damage-and-interrupt-business-processes

In recent years, there has been no shortage of news about large-scale data
privacy breaches; incidents that have affected tens of millions of
consumers nationwide. Those incidents have spurred a growing market for
so-called “cyber-policies.”  However, not nearly as much attention has been
given by insurers or the media to the serious risk of large-scale physical
property damage and business interruption losses stemming from a
cyber-breach. This relatively sparse amount of attention persists even
though the U.S. Department of Homeland Security has warned that, “[a]s a
nation, we face constant cyber-threats against our critical infrastructure
and economy.”

How could a cyber-incident cause property damage or significant
interruption of business activity?  Consider that a hacker who gains access
to a company’s computer systems and penetrates its operational or plant
controls could cause breakdowns in company processes, or even outright
destruction of certain physical facilities.  A hacker could also reroute
shipments, interrupt supply chains and wreak other types of havoc with
products, property and procedures.

In a recent survey, 54 percent of business respondents reported that in the
last year their organization had experienced an attack in which the
attacker attempted to manipulate the organization’s equipment through a
control system. The risks to particular segments of the marketplace, such
as homebuilders and some of the contractors with whom they work, are
readily apparent.

As these risks mount, insurance coverage will need to keep pace.  Even when
“insurance for property damage caused by a cyberattack” becomes more widely
available, it is almost a certainty that insurers and policyholders will
have substantially different views of what should and should not be covered
when a cyberattack causes physical damage and business interruption.
Insurers have already begun to develop and publish a number of exclusions
aimed at property and business interruption losses stemming from
cyberattacks, such as the Institute Cyber Attack Exclusion Clause CL380 (a
domestic form) and Electronic Data Exclusion NMA2914 (a London Market
form). However, these forms are not universally added to form property
policies and some larger companies have custom-designed policies that do
not include those forms.

Policyholders must not simply assume that their cyber-risk policies are the
only coverage available to them. By the same token, they also should not
assume that their property policies will cover damage resulting from a
cyber-breach. Policyholders should work closely with counsel and with their
brokers in advance of policy renewals to assess their levels of coverage,
and to strategize about the terms and provisions that they need to
negotiate into (or out of) their policies.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!