A recent article in the Wall Street Journal highlights a widespread cybersecurity threat that it reports has generally gone unrecognized: the vulnerability to cyberattacks of the underlying control systems that power and cool data-center networks. These same types of systems, which include generators, thermostats, and air conditioners, are also found in commercial buildings and factories.
The article reports that a cyberattack involving control systems has the potential to take down an entire operation. It could also endanger human life. While these risks are not new, the article notes that security personnel at many companies do not realize that such systems may be connected to the computer system or the internet, and thus exposed to a cyberattack. In fact, the article reports, such systems often lack basic security protocols, such as user names or passwords.
The article serves as a reminder that companies should review the cybersecurity of the control systems that they use to keep their data centers and other operations running. While they are at it, they should also take a look at their insurance policies to see if they have coverage for cyber-related damage and injury.
Companies may be surprised to learn that their insurance policies, depending on wording, may have significant gaps in coverage for cyber-related injury or property damage. Insurers have introduced a number of exclusions and limitations that could be construed as barring coverage for property damage or bodily injury arising from a cybersecurity event.
For example, Clause CL 380, which is found in some commercial property policies, states that the policy does not cover loss caused by the use of a computer system “as a means of inflicting harm.” Other exclusions added to commercial property policies, such as NMA 2915, carve back coverage for cyber-related property damage but only in limited situations, such as a fire or explosion.
In 2013, CG 21070514 was introduced for use in commercial liability policies. It states that the policy does not apply to damages arising out of “the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.”
Many companies have started to purchase stand-alone cyber risk insurance policies. But cyber risk policies typically feature broad exclusions for bodily injury and property damage. Without modification, such policies will not fill in the coverage void for cyber-related damage and injury left by non-cyber policies.
As companies increasingly connect their control systems to the internet, their insurance policies may not be keeping pace with the risks that they face. Even companies that purchase millions of dollars in cyber risk insurance may not have adequate coverage for bodily injury or property damage arising out of a cyberattack.
What can companies do to fill in the coverage gap for cyber-related damage and injury? For one, they can carefully review their policies for exclusions and limitations that could preclude coverage for cyber-related bodily injury and property damage and negotiate with their insurers to remove such provisions.
But a more comprehensive coverage solution may be available. Companies should ask their brokers and insurers about difference in conditions coverage for cyber-related bodily injury and property damage (“Cyber DIC Coverage”). Cyber DIC Coverage is intended to fill in the coverage gaps for cyber-related damage and injury, as well as other types of cyber-related losses. Unfortunately, it is not a common feature of cyber risk policies.
In general, Cyber DIC Coverage applies to a cyber-related loss that would have been covered by a company’s non-cyber policies but for cyber-related exclusions or limitations. Ideally, it should apply broadly to any type of cyber-related loss or claim that is not otherwise excluded by non-cyber policies.
Like other types of cyber risk coverage, the terms and conditions of Cyber DIC Coverage vary from insurer to insurer, so it is important to review them carefully and request changes to unfavorable terms. Typically, Cyber DIC Coverage is subject to a deductible and the underlying non-cyber policies must be scheduled. Some policies have additional conditions such as a requirement that the non-cyber insurer issue a written denial of coverage based on a cyber-related exclusion in order to trigger coverage. Such a condition may not outright eliminate coverage, but it is unnecessary and could make coverage difficult to trigger (what if the underlying insurer is insolvent?).
In time, Cyber DIC Coverage should become a common offering. But, for companies concerned about cyber-related property damage and bodily injury, now is the time to seek out this important coverage.
 Robert McMillan, A Hacker’s Back Door to Sabotage Networks, Wall St. J., Sept. 25, 2015, at B1 & B4; Robert McMillan, Cyber Risk Isn’t Always in the Computer, Wall St. J. (Sept. 24, 2015 4:05 ET), http://www.wsj.com/articles/cyber-risk-isnt-always-in-the-computer-1443125108.
 See National Institute of Standards and Technology, Special Publication 800-02 Revision 2, Guide to Industrial Control Systems (ICS) Security (May 2015) at 2, available at http://dx.doi.org/10.6028/NIST.SP.800-82r2.
 McMillan, supra note 1.
 Marsh, Cyber Gap Insurance, Cyber Risk: Filling the Coverage Gap (2014) at 4, available at http://uk.marsh.com/Portals/18/Documents/Cyber%20Gap%20Insurance%20Brochure_Final.pdf .
 ISO CG 21 06 05 14 (2013).