Emerging cyber risks reshape the market in the internet-of-things era

As the internet of things connects machines in complex networks, a new cyber risk is developing — bodily injury or property damage as a result of a cyber breach. Employers and risk managers need to consider the worst-case scenarios of a cyber breach of these systems.

At the same time, insurance companies that write property and general liability policies are starting to push back to avoid picking up this exposure, which may create a gap in your company’s coverage.

Smart Business spoke with Patrick Zedreck, area assistant vice president at Arthur J. Gallagher & Co., about how to mitigate coverage gaps with your cyber risks.

How has this cyber risk developed?

The traditional cyber policy addresses the financial aspects of a breach, such as the cost of notifying individuals of compromised information as well as defending against a lawsuit. It doesn’t, however, extend to covering bodily injury or property damage that result from a breach. For example, the Target Corp. data breach came through a HVAC company that serviced Target stores. While the hacker only took payment card information, that same server could have potentially allowed the hacker to overheat or freeze all of Target’s refrigeration units.

A cyber policy won’t pick up this kind of claim. While a property or general liability policy theoretically covers it, carriers are adding exclusions for cyber-based claims, specifically unauthorized access exclusions for bodily injury and property damage.

What businesses are most vulnerable?

If a manufacturing plant is run on a network, a hacker could overheat a machine and cause property damage or potentially bodily injury. Someone also could hack into a hospital’s network to access patient monitors or the pharmacy. While most hackers focus on financial gain — credit card information or ransom to return the organization’s data — that doesn’t eliminate the motivation of causing damage.

If your company isn’t linked to the internet of things, you don’t run the same risk. But building controls, utilities, etc., are increasingly connected. A refrigerator unit made by a large manufacturer might have a firewall, but the password could be the same for every single unit — and it could be easy for the hacker to determine. Once a hacker determines the password, he or she could theoretically access every unit manufactured.

How should employers cover this exposure?

It’s crucial to sit down with your broker and do a full gap analysis between the property, general liability and cyber policies. You need to be aware of what exclusions are on what policies and make sure there are no significant coverage gaps.

Because the claims information and actuarial data is still dynamic, insurance companies are including exclusions for this risk. Property, general liability and cyber carriers each want this exposure to trigger a policy they didn’t write. Currently, general liability carriers are issuing three types of unauthorized access exclusions. The least restrictive just excludes personal and advertising injury as a result of a breach, which a traditional cyber policy could cover. The other two exclude bodily injury and property damage as well. You’ll want to work with your broker to closely examine the exclusion language.

Going forward, as insurance companies continue to add cyber-based exclusions, some will come out with a policy form that expressly covers bodily injury and property damage resulting from a cyber breach.

It’s also a good idea to review your contracts with suppliers and vendors for cyber liability coverage requirements and standard security protocols.

What else can minimize this risk?

Getting the most advanced security and privacy training is important because employees are the biggest exposure for letting these breaches in — but they can also be the first line of defense. For example, an email may say, “You just booked something for $5,000, click here if you didn’t.” An untrained individual clicks the link, malware or a virus is on the network and the hacker is in. One error can expose an entire company.

Many people don’t realize how connected their systems are. The entire organization — from the CEO to the lowest-ranking employees — needs to work together to keep the company network safe. It doesn’t benefit anyone to experience a breach.

Insights Insurance/Risk Management is brought to you by Arthur J. Gallagher & Co.