In the December post Systemic Cyber Risks And The Internet of Things, we wrote about the increasing risk of cyber attacks on infrastructure and consumer products, and related insurance issues. We noted in that post that, while there have been a few cyber attacks on the Internet of Things (IoT) reported over the past few years, the number of such attacks was certain to grow. It has. Since our December post, several new attacks and developments have been publicly disclosed. These attacks again remind us that companies should evaluate their risks and exposures relating to the IoT and carefully negotiate their insurance policy renewals or purchases.
Recent Cyber Attacks
The New York Times reported recently that, for the first time, cyber attackers caused an electricity grid black-out (read the article). The attack affected 225,000 electricity customers in Ukraine. American investigators have concluded that the attackers, possibly the Russian military or private parties in Russia, reportedly conducted “extensive reconnaissance” of the Ukraine power system’s networks and stole operators’ credentials. They then switched off the breakersand back-up power supplies so that, once the power failed, operators could not turn the lights back on. According to the U.S. Department of Homeland Security, the malware designed for the Ukrainian power grid was directed at “industrial control systems,” which act as the intermediary between computers and the switches that distribute electricity and guide trains as they speed down the track, the valves that control water supplies, and the machinery that mixes chemicals at factories. It was later revealed that similar attacks were launched against a mining company and a railway operator in Ukraine. This attack prompted the Obama administration to warn U.S. power companies, water suppliers and transportation networks that they could suffer similar attacks.
Similarly, the Israeli government announced in January 2016 that it had foiled a “severe cyber attack” against the Israeli Electricity Authority (read more). The attack itself did not result in any disruption to the country’s power grid, but some government systems were taken offline as a protective measure.
Also, in a widely reported move, U.S. prosecutors indicted seven Iranians in connection with an attempted cyber attack in New York state, in which the attackers attempted to take over the controls of a suburban dam and succeeded in shutting down some banks’ computer systems (read more).
There have been several other similar attacks, including one in which a hacker group claimed to have temporarily and partially taken control of a NASA drone (read more). As further evidence that world governments are taking the risk of infrastructure IoT attacks seriously, the U.K. and U.S. governments recently announced that they will stage a combined table-top “war game” later this year to simulate a cyber attack on a nuclear power plant (read more). The purpose of the simulation is to test the sufficiency of both government and utility companies’ defenses and responses to such an attack. The nuclear power plant test follows a similar exercise in which City of London and Wall Street banks were subject to cyber attack tests (read more).
These recent developments show both that attacks on critical infrastructure are real and that cyber criminals are intent on doing damage in the real world. The damage could and likely will come in many forms, including property damage, bodily injury, business interruption and invasions of privacy, among others. And while a number of these attacks appear to have been “state-sponsored cyber terrorism” types of attacks, it is only a matter of time before the technological know-how trickles down to the criminal element, whose main interest is making money – either by being hired to damage a competitor, or to blackmail a company with the very real threat of doing massive physical damage.
Evolution of Cyber Insurance
While these are recognized as “cyber” attacks, companies’ cyber insurance policies may provide only limited, if any, insurance coverage for some of these losses. Many cyber insurance policies exclude coverage for losses and claims relating to bodily injury and property damage. When they cover such losses and claims, the scope of the coverage is often limited and/or subject to sub-limits.
As a result, insureds may need to rely on their “traditional” insurance to protect them against losses and claims, such as property, general liability and errors and omissions liability coverage. However, insurers are now starting to add language to new policies that seeks to eliminate coverage in these types of policies for cyber attacks, though insurers’ practices are far from uniform in this area.
Several insurers have started offering “difference in conditions” (DIC) cyber insurance, which supposedly covers certain property damage and/or bodily injury losses and claims arising from cyber attacks. This coverage is brand new and, to our knowledge, has not been tested. Further, because the policies are non-standard, policies similar in appearance from different insurers may offer significantly different coverages.
In light of the uncertainty relating to insurance coverage for IoT losses and likelihood that IoT cyber attacks will continue to increase, policyholders should work closely with their brokers and coverage counsel to review their entire insurance program. They should identify possible gaps in coverage and seek to fill those gaps by negotiating more favorable policy language or buying additional insurance with the coverage needed to address their IoT risks.