This post is part of a series sponsored by Amwins.
As cyber incidents develop in sophistication, scale and frequency, real estate and accident car companies are growing concerned about the potential for unintentional claims. These cyber risks, for which real estate and damage companies have neither subscribed nor charged, can significantly increase their portfolio exposure. In response, many insurance companies have adopted various exceptions, sub-limits and amendments to non-cyber insurance. This issue of non-affirmative coverage for cyber incidents is called silent cyber.
Silent cyber incidents occur when coverage for a cyber-related loss is either inadvertently provided by insurance policies not specifically designed to cover cyber risk or the exposure is specifically excluded by the primary cyber policy or other policies, leaving coverage gaps.
Before you chalk up silent cyber as something that does not affect your customers or may just be important to resellers who make professional line accounts, take a look at some coverage line and industry specific examples.
When cyber events turn into property and accident
Although you can primarily associate cyber attacks with financial losses, today's cyber events can also lead to first or third party physical or physical harm or bodily loss. damage. For example:
- Feature: Network interruption caused by a ransomware attack takes a critical HVAC system offline at a fruit warehouse. This causes the temperature to peak in excess of optimal threshold values, which results in damage to the household goods as well as the plant itself.
- Accident: A manufacturer's industrial control system is hacked and manipulated remotely to speed up the belts. This results in an overload on workstations and injuries to workers.
When situations like these occur, what policy covers the claim? This is the basic question behind silent cyber and why dealers who place real estate and accident policies should be aware of the problem.
How Silent Cyber Creeps Into Different Industries
Düsseldorf University Hospital fell victim to a ransomware attack that destroyed their entire technology network. With the hospital's system offline, there was a major disruption to patient care, including the redirection of ambulances to other nearby hospitals. As with most itinerant rides, time is of the essence, and during the event a patient died in critical condition during transit.
In this case, a cyberattack led to a tragic death. When lawsuits are filed for events like this, where can the hospital look for insurance coverage?
- Most cyber policies on the market today include exceptions (or at best restrictions) for bodily harm and loss of property damage.
- A medical policy for malpractice would probably not apply, as the incident was not due to a malfunction of the treatment or medical advice. It is also important to note that cyber exceptions are added to the E&O policy more often.
- A general liability policy may not respond as losses due to cyber incidents are often excluded.
In summary, non-cyber lines generally exclude cyber as a trigger or danger; Cyber policies often exclude bodily harm and loss of property damage. When one excludes the loss and the other the risk, a silent cyber incident occurs.
Mondelez International is a manufacturer of snack brands, including Cadbury, Oreo, Ritz, Triscuits, Toblerone and Tang. When NotPetya malware infected two of its servers, a significant portion of the company's global Windows-based applications were affected, as well as its sales, distribution, and financial networks across the enterprise. Mondelez experienced data damage and delivery and distribution disruptions totaling more than $ 1
This cyberattack led to significant business disruptions due to first-party damage to their "walled" equipment. Where can manufacturers look for insurance coverage for events like this?
- Property policy is often about "direct physical loss" and in this case the property was essentially undamaged. Furthermore, in this example, the carrier questioned the allegation because of a policy clause that excludes all "hostile or warlike acts" by any "government or sovereign power." NotPetya is widely seen as being a state-sponsored cyberattack, with Russia sovereignly portrayed as potentially behind malicious software.
- Cyber policy is often focused on the resulting economic loss. In this case, the masonry equipment resulted in a financial loss, but what about the actual masonry equipment that needs to be replaced? This is equivalent to millions of dollars in equipment value that traditional cyber policy either excludes or provides a minimal lower limit, which leaves the insured responsible for the cost.
When reading the fine print, the property policy coverage was not responding. A broadly written primary policy, or the introduction of cyber umbrella policy, could have responded.
Marine / Transportation
A shipping manager, AP Moller-Maersk, reported a loss of $ 300 million due to a malware attack that affected three of their large companies and paralyzed their logistics operations worldwide. . Not only did the company lose revenue during the shutdown and the ensuing slow period, they also had to invest in finding a way to continue their business after their go-to system was taken down by the attack as well as rebuilding their IT department.
This cyberattack led to significant delays, lost business and reputation damage. Where can logistics and other transport companies look for insurance coverage for events like this?
- Property insurance traditionally covers costs for business interruptions, but only those that arise as a result of traditional hazards. Cyber-exemption removes ambiguity about their intention to cover.
- Stoned or disabled computer hardware is likely to need to be replaced, which is often exempt from property policies and small sublimits may exist on a cyber policy.
Imagine if Maersk could not coordinate the movement of ships that led to collisions or other damage. If property, accident and marine policies had cyber exemptions and the cyber policy has a property damage exclusion, there would be a silent cyber gap in the coverage.
Cyber events can happen to insured people of all sizes in all industries – just look at the latest SolarWinds hack and its far-reaching impact. These events not only lead to financial loss but can also cause first-degree or third-party bodily injury or physical harm. Therefore, silent cyber is not only an issue for dealers who focus on placing policies for professional lines, it is also absolutely necessary for dealers of real estate and accidents who want to protect their customers.
Amwins offers the only product on the market specifically designed to combat silent cyber incidents. . CyberUP is a comprehensive cyber umbrella policy designed to fill policy gaps by dropping, not overlapping, existing policies across multiple coverage lines. CyberUP gives resellers and insured peace of mind about the type of losses triggered by a cyber incident. Contact your Amwin's professional line broker or visit amwins.com/cyberup to learn more.
Do you need help determining your insured's specific silent cyber exposure and if they need CyberUP? We have developed a self-evaluation tool to identify risk factors and deliver an easy-to-understand point that dealers can share with their insured.
Ta Silent Cyber Exposure Evaluation.
About the Authors
This article was written by Kasey Armstrong and Megan North, professional line brokers with Amwins Brokerage in Seattle, WA and the creators of CyberUP.
Interested in Cyber ?
Get automatic alerts for this topic.