Talk about being lost in translation. This morning Bob Hendren posted this to the Chief Financial Officer (CFO) Network group over on LinkedIn:
Bodily Injury (BI) and Property Damage (PD) coverage is typically associated with General Liability, but if the underlying cause of BI or PD claim was a data breach, your General Liability policy may exclude coverage. Talk with your broker about filling this potential gap in coverage.
The extra emphasis is mine. At first I wasn’t connecting how a data breach could result in a bodily injury or property damage claim. So I read the linked article by James Carter. Here’s a quote that gets a little closer to the point:
…a widespread cybersecurity threat has generally gone unrecognized: the vulnerability to cyberattacks of the underlying control systems that power and cool data-center networks. These same types of systems, which include generators, thermostats, and air conditioners, are also found in commercial buildings and factories. …insurance policies, depending on wording, may have significant gaps in coverage for cyber-related injury or property damage. Companies should ask their brokers and insurers about difference in conditions coverage for cyber-related bodily injury and property damage (“Cyber DIC Coverage”).
I’ve never heard about cyber difference in conditions coverage before, but I finally understood the underlying risk: not data breach but a cyber attack against industrial control systems.
It turns out James wrote his article in part based on a recent Wall Street Journal article, so took a few minutes and read that one. Here’s a quote:
These “industrial control systems” are fixtures not only in data centers but in commercial buildings and factories. While networked computers are upgraded frequently, the equipment in this underlying layer may be on a refresh schedule measured in decades. They use hoary communication standards that lack basic security features such as password protection.
Anyone who’s not familiar with the underlying risk should read up about the 2010 Stuxnet attack, or SCADA system security, in general. DHS is aware of these vulnerabilities and has been conducting tests at least since 2007. This is also conceptually related to the poor security for the Internet of Things (IoT) and the recent, well-publicized disabling of a Jeep driving along a highway.
Here’s a quick and dirty scenario that might arise: Your company loses power due to a cyber attack against your building. In the dark at one of your offices a contractors falls down a short flight of stairs and sustains serious injuries that keeps her from working for the next four months. Without Cyber DIC Coverage, your insurance company may reject your claim when you are sued by the contractor.
How likely is all this? Well, no one took car hacking seriously until a few months ago and now 1.4 million Jeeps have been recalled due to faulty software. Guess it’s time to call your broker…