“The Physical Damage Hot Potato”

First, I have to say that Paul Stockman at McGuireWoods has beaten me to the punch in his article, “Cyber Risk ‘IRL’.”  So, read that.

Stockman addresses a coverage issue I’ve noted in cyber policies across carriers.  They tend to say something like: “The Company shall not be liable for Loss on account of any Claim or for any Expense…for bodily injury…or damage to or destruction of any tangible property.”  Carrier’s position: If the data breach or malware attack causes an explosion, that’s on somebody else.  My take – well, it would depend on the facts, the policy wording and the state of the law in the relevant jurisdiction.  Of course.

It’s now clear, however, that cyber attacks can do more than corrupt and steal electronic data.  Cyber attacks can also result in machine malfunctions that cause physical harm ‘IRL,” or “in real life.”  Consider a hacker taking control of an HVAC system, or a car or a nuclear centrifuge (it separates uranium isotopes to make nuclear bombs).  The result: IRL, broken stuff, injured people damage.

Where is that covered?  Commercial general liability policies would be the obvious answer.  But, these days, CGL policies generally contain exclusions purporting to limit coverage for losses “arising out of” various types of cyber events.  The scope of these exclusions is unclear and untested.  If physical disaster ensues after a cyber event, does the resulting harm “arise out” of the malware attack?  Or does it arise out of a lack of preventative measures (i.e., negligence) and therefore fall squarely within the coverage people expect from a CGL policy?  Don’t hate me – it depends….on the outcome of lengthy litigation either has not occurred or has not resulted in a reported opinion to date.

At the moment, the answer may be to be to add coverage for bodily injury/property damage “arising out of” cyber events by endorsement, either to your CGL or cyber policy (varies by carrier).  Depending on the premium implications, you can make a business decision based on your level of exposure to this type of risk.  Eventually, this issue will create a body of case law involving both CGL and cyber policies, but, until that time, belt and suspenders (and what could in retrospect be a waste of money) is probably the only way to gain real comfort that this risk doesn’t fall into the gap.