There have been relatively few confirmed cyber attacks resulting in substantial physical harm to property (other than computer hardware) and people. The first known event involved the 2008-2010 infiltration of a computer virus called “Stuxnet” into Iranian networks that controlled nuclear subterfuges. The virus caused them to spin out of control, destroying about 20% of them. Another involved a hacking attack on a German steel mill in 2014, causing a blast furnace to malfunction and resulting in massive damage. Last year, an Iranian petrochemical company suffered a series of fires and explosions believed to have been caused by a hacking attack. And for each of these types of events, there have been innumerable other attacks on that could have but did not result in physical harm.
While underwriters still struggle to accurately quantify this risk, there is an increased willingness to enter the cyber-physical coverage market in different, and sometimes fairly creative, ways. But this risk doesn’t only impact cyber-coverage. Cyber-physical attacks can have enormous consequences, with damages likely to exponentially exceed the coverage provided by these new products. These attacks can be coordinated across multiple geographic regions, they can impact many people and businesses across numerous economic sectors and they appear to be easier than ever to anonymously effectuate.
The increased ease with which these attacks can be carried out coupled with the unprecedented level of harm they can cause requires likely targets to carefully explore the cyber-physical risk market. These circumstances, however, also require renewed consideration of traditional coverages by those who may be impacted downstream and by those who might find themselves defendants when even cyber-physical coverage purchased by the targets of these attacks proves woefully insufficient in light of the extent of harm. In fact, there are likely few companies that don’t need to revisit their entire insurance programs in light of the emerging cyber-physical risk. Consider whether coverages and limits are still appropriate for cyber and traditional coverages. This will get physical.