Covered For Cyber-Related Bodily Injury and Property Damage?

Talk about being lost in trans­la­tion. This morn­ing Bob Hen­dren post­ed this to the Chief Finan­cial Offi­cer (CFO) Net­work group over on LinkedIn:

Bod­i­ly Injury (BI) and Prop­er­ty Dam­age (PD) cov­er­age is typ­i­cal­ly asso­ci­at­ed with Gen­er­al Lia­bil­i­ty, but if the under­ly­ing cause of BI or PD claim was a data breach, your Gen­er­al Lia­bil­i­ty pol­i­cy may exclude cov­er­age. Talk with your bro­ker about fill­ing this poten­tial gap in cov­er­age.

The extra empha­sis is mine. At first I was­n’t con­nect­ing how a data breach could result in a bod­i­ly injury or prop­er­ty dam­age claim. So I read the linked arti­cle by James Carter. Here’s a quote that gets a lit­tle clos­er to the point:

…a wide­spread cyber­se­cu­ri­ty threat has gen­er­al­ly gone unrec­og­nized: the vul­ner­a­bil­i­ty to cyber­at­tacks of the under­ly­ing con­trol sys­tems that pow­er and cool data-cen­ter net­works. These same types of sys­tems, which include gen­er­a­tors, ther­mostats, and air con­di­tion­ers, are also found in com­mer­cial build­ings and fac­to­ries. …insur­ance poli­cies, depend­ing on word­ing, may have sig­nif­i­cant gaps in cov­er­age for cyber-relat­ed injury or prop­er­ty dam­age. Com­pa­nies should ask their bro­kers and insur­ers about dif­fer­ence in con­di­tions cov­er­age for cyber-relat­ed bod­i­ly injury and prop­er­ty dam­age (“Cyber DIC Cov­er­age”).

I’ve nev­er heard about cyber dif­fer­ence in con­di­tions cov­er­age before, but I final­ly under­stood the under­ly­ing risk: not data breach but a cyber attack against indus­tri­al con­trol sys­tems.

HV-LV Panels

It turns out James wrote his arti­cle in part based on a recent Wall Street Jour­nal arti­cle, so took a few min­utes and read that one. Here’s a quote:

These “indus­tri­al con­trol sys­tems” are fix­tures not only in data cen­ters but in com­mer­cial build­ings and fac­to­ries. While net­worked com­put­ers are upgrad­ed fre­quent­ly, the equip­ment in this under­ly­ing lay­er may be on a refresh sched­ule mea­sured in decades. They use hoary com­mu­ni­ca­tion stan­dards that lack basic secu­ri­ty fea­tures such as pass­word pro­tec­tion.

Any­one who’s not famil­iar with the under­ly­ing risk should read up about the 2010 Stuxnet attack, or SCADA sys­tem secu­ri­ty, in gen­er­al. DHS is aware of these vul­ner­a­bil­i­ties and has been con­duct­ing tests at least since 2007. This is also con­cep­tu­al­ly relat­ed to the poor secu­ri­ty for the Inter­net of Things (IoT) and the recent, well-pub­li­cized dis­abling of a Jeep dri­ving along a high­way.

Here’s a quick and dirty sce­nario that might arise: Your com­pa­ny los­es pow­er due to a cyber attack against your build­ing. In the dark at one of your offices a con­trac­tors falls down a short flight of stairs and sus­tains seri­ous injuries that keeps her from work­ing for the next four months. With­out Cyber DIC Cov­er­age, your insur­ance com­pa­ny may reject your claim when you are sued by the con­trac­tor.

How like­ly is all this? Well, no one took car hack­ing seri­ous­ly until a few months ago and now 1.4 mil­lion Jeeps have been recalled due to faulty soft­ware. Guess it’s time to call your bro­ker…

Please note: I reserve the right to delete comments that are offensive or off-topic.