The drumbeat of high-profile data breaches has led to rapid growth in the number of companies purchasing or considering specialized cyber insurance. According to a recent report by Marsh & McLennan, in the majority of industry sectors more than 20% of companies have already bought this coverage.1 But as technology evolves, so do the risks. And the explosion of the Internet of Things may present risks that even these new cyber policies do not cover.
A NewWorld of Risk in the Internet of Things
The "Internet of Things"—or "IoT"—refers to devices and other tangible things (other than computers, tablets, smartphones, and the like) that connect or communicate information with or between each other through the Internet. Participant "things" in the IoT can include consumer-oriented devices that use Internet connectivity to control or monitor home security and automation, health and fitness, car navigation systems, and a host of other functions and services. In the commercial and industrial context, it can include sophisticated operational control systems for manufacturing or other business processes.
Internet-connected devices can provide great benefits, and have the potential to transform our daily lives. According to a Federal Trade Commission ("FTC") report released in January 2015, experts estimate that as of 2015 there will be 25 billion Internet-connected devices, and that number is expected to double by 2020.2
But, as the FTC report discussed, the IoT also carries with it significant added security risks. Those risks will only become greater as the number of IoT devices continues to expand. One risk is that a cyber-attack involving Internet-connected devices can result in the unauthorized disclosure of personal or other confidential information collected by the devices; consider, for example, detailed health, geo-spatial or other information. But another risk is that a cyber-attack involving Internet-connected devices could result in tangible physical harm, such as property damage or bodily injury.
Perhaps the most well-known example is the computer virus, Stuxnet, which infiltrated an Iranian nuclear facility and destroyed a substantial number of uranium-enriching centrifuges.3 More recent examples suggest these attacks may begin to hit a wider array of targets. In late 2014, a cyberattack on a German steel plant led to what was reported to be widespread damage. Hackers reportedly gained access to the plant's production networks, causing the failure of components and systems, and which led to "massive damage" when one of the plant's blast furnaces could not be properly shut down.4 The FTC report also highlights an action the FTC brought against a manufacturer of Internet-connected cameras that were marketed for a variety of uses, including home security and baby monitoring. Hackers were able to access live feeds from consumers' cameras, enabling them to surveil consumers' homes. And consider that earlier this year researchers at the Florida-based Digital Bond Labs stated that they had uncovered problems in a device that Progressive Insurance uses to monitor the driving habits of its customers. By reverse-engineering the device, researchers gained access to a network that allows remote users to control important vehicle functions, e.g., steering, braking, and throttle inputs.5 Progressive relies on this device as part of an insurance program that collects data on how many miles are driven, what times of day a car is in operation, and how hard a driver brakes. Customers who participate in this program can receive discounts in exchange for providing Progressive with this data. If someone had actually hacked into the Progressive network, they could have potentially overridden a driver's input and controlled a vehicle, causing significant physical damage or injury. These types of attacks could result in a multitude of liability-creating scenarios.
Insuring the New Reality
Will your insurance cover these potentially liabilities? The answer will depend on where you stand in the liability chain, but you should not assume that just because you have cyber insurance, you have coverage for resultant injuries or property loss.
Coverage for liability for bodily injury or property damage typically is provided in general liability policies. But beginning around 2004, an "Electronic Data" exclusion was added to the standard CGL form that bars coverage for bodily injury or property damage claims "arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data."6 In May 2014, a much broader set of exclusions were introduced expanding the original Electronic Data exclusion to bar coverage for cyberattack- related liabilities. The 2014 exclusions bar coverage for damages arising out of:
(1) Any access to or disclosure of any person's or organization's confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of nonpublic information; or
(2) The loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.7
There are several variations of the exclusion, including one that applies to both bodily injury and property damage liability and personal and advertising injury liability, one that contains a limited exception related to bodily injury, and one that applies only to personal and advertising injury. If you are the victim of a cyberattack that caused bodily injury or property damage to others via your smart devices, and if you have a policy containing a version of the exclusion that applies to bodily injury and property damage liability, your GL insurer may disclaim coverage on the basis of this exclusion. Whether the liability fits within the exclusion, including whether it arose out of "access to or disclosure of . . . confidential information," will depend on the facts of the particular situation. For example, where a hacker hijacks a company's network for the purpose of causing injury, the injury does not necessarily arise out of access to or disclosure of information. Most importantly, it is necessary to review your coverage closely to consider the impact of this exclusion on your IoT risk exposure.
What about that specialized cyber policy you purchased to cover you in the event of a cyber-attack? Cyber policies typically provide coverage for certain types of first-party costs, such as data breach notification, and third-party liability arising out of a cyber-attack, such as liability stemming from the unauthorized disclosure of confidential information or a failure of network security. However, most cyber policies exclude coverage for claims alleging bodily injury or property damage. So even though you purchased cyber coverage to protect you in the event you are the victim of a cyber-attack, your insurer may claim that IoT-related liabilities are not covered.
Minding the Gaps
But it will depend on the specifics of each policy. There are no standard forms for cyber policies and not all policies contain this exclusion. In fact, at least one insurer is expressly offering a cyber policy that it advertises as filling the gap between typical cyber and general liability policies to cover property damage and bodily injury claims resulting from a cyber-attack. But this is a new type of coverage that the vast majority of companies do not currently offer. Moreover, it remains to be seen how insurers will interpret these policies when presented with claims alleging tangible harm arising from a cyber-attack. Ultimately, it is important to review your specific cyber policy, as well as your other policies, to understand the harms for which you are and are not covered.
Adding to the complexity, there will almost certainly be multiple "targets" from IoT-related liability, each of which needs to understand its insurance coverage. As an example, in the automotive scenario noted earlier, someone who has been harmed by a hacked, out-of-control vehicle may sue the driver/owner of the car, the insurance company, and/or the company that made the monitoring device. Product liability claims often spawn litigation that involves everyone in the chain of distribution from the parts manufacturer to the end user. Each of these parties may carry liability policies that could cover this type of exposure arising out of its products, but again, companies need to carefully review their coverage to ensure these potential IoT risks are addressed.
Many companies who are victims of a cyber-attack will not face claims for property damage or bodily injury. But for companies who contribute to the IoT, this risk is real and has the potential to saddle a company with substantial liabilities. Companies that make and use Internet-connected devices need to be mindful of this potential gap in coverage when building their insurance programs.
Footnotes
1 Marsh & McLennan, "Benchmarking Trends: As Cyber Concerns Broaden, Insurance Purchases Rise" (March 2015), available at http://usa.marsh.com/Portals/9/Documents/BenchmarkingTrendsCyber8094.pdf
2 FTC Staff Report, "internet of things: Privacy & Security in a Connected World" (January 2015), available at https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitledinternet-things-privacy/150127iotrpt.pdf
3 Kim Zetter, Wired, "An Unprecedented Look at Stuxnet, the World's First Digital Weapon" (Nov. 3, 2014), available at http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
4 Loek Essers, IT World, "Cyberattack on German steel factory causes 'massive damage'" (Dec. 19, 2014), available at http://www.itworld.com/article/2861675/cyberattack-on-german-steel-factory-causes-massive-damage.html
5 Caitlin Bronson, Insurance Business America, "Progressive security holes put 2 million at risk" (Jan. 19, 2015), available at http://www.ibamag.com/news/progressive-security-holes-put-2-million-at-risk-21007.aspx
6 Jeff Woodward, International Risk Management Institute (IRMI), "The 2004 ISO CGL Policy" (April 2004), available at http://www.irmi.com/expert/articles/2004/woodward04.aspx?cmd=print
7 ISO CG 21 06 05 14; ISO CG 21 07 05 14; ISO CG 21 08 05 14
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
