Spoofing sensors also can cause
damaged goods, without harming
any machinery or equipment. In a
refrigerated truck, for example, hackers
would feed sensors false data so they
continually record a temperature of 0
degrees, even if it’s 70 inside the truck.
An entire shipment of frozen goods
would be ruined by the time it reaches
“It’s not that the refrigeration
equipment was broken; it’s that
the sensors were fed the wrong
information, and no one had any
indication that it was false,” said Robert
Parisi, cyber product leader at Marsh.
“These losses will not fall into the
simple buckets in which the insurance
The scope of potential losses leaves
risk managers wondering what insurance
policy, if any, will cover the damage.
LOOKING FOR COVER
“The question in insurance becomes:
where is that covered?” Grella said.
The industry has no uniform way
to address these losses. Cyber coverage
typically excludes physical loss. Property
or general liability policies likely cover
property damage, even if the underlying
trigger was a cyber event. Companies
also might find coverage in crime
or fidelity policies, if the breach was
perpetrated by an employee.
“Companies first think to look
at their GL or property policies for
coverage, and they may find it there,
but these policies really were not
designed to respond to cyberattacks,”
“Finding silent coverage is not
really where insurers or insureds want
to be. Clients want to know what
they’re buying and what’s covered, and
carriers want to know exactly what
Coverage for cyber-triggered
physical losses could extend in two
directions. Carriers could begin
offering affirmative coverage for
cyber events in property policies, or
cyber policies could expand to include
property damage and bodily injury, not
just loss of data, business interruption
and other non-physical losses.
“Market conditions will dictate that
evolution to some degree,” Harvey
of RMS said. “At the moment, the
property market is very soft, which
drives underwriters to try to win more
business, which means they’ll be more
generous with their cyber coverages.
On the other hand, regulators want to
ensure underwriting is done properly,
with adequate controls in place, which
could push property underwriters to
Property and cyber underwriters
need to work together to ensure they
are managing the risk appropriately.
Marsh’s Parisi said some cyber insurers
have offered to cover physical loss only
if the insured’s property policy does
not respond. This shows the industry is
recognizing the widening coverage gaps.
“Cyber policies expanding to take
in this exposure is the cleanest way to
do it,” he said. “We are seeing greater
flexibility on the part of the cyber market
to adapt to changing loss scenarios that
don’t have actuarial data behind them
or underwriting standards.”
AIG, Marsh and FM Global are
among insurers and brokers offering
expanded cyber products designed to
affirmatively cover physical harm.
“We’re starting to get more inquiries
about our coverage and how it intersects
with other cyber policies,” FM Global’s
O’Byrne said. “What clients really want
is contract certainty.”
RMS has spent the past year
modeling the severity of physical losses
triggered by a cyberattack, but nailing
down the frequency remains a challenge.
“We have developed models to
confidently help insurers assess what
the severity of cyber-physical events
might be,” Harvey said. “RMS are
continuing to explore methods of
assessing the probability of these rare
events as we know both the frequency
and severity are critical components of
quantifying the risk.”
With cyber risks evolving and
uncertainties in the type and scope
of losses and coverage gaps, the best
approach risk managers can take is to
treat cyber like any other operational risk
business networks and other non-
critical functions can make it harder
for hackers to access machinery and
Risk managers also should conduct
gap analyses to determine if and where
they have coverage for physical damage
from a cyberattack.
“Your broker or a third-party
vendor can provide this service,” Grella
of AIG said. “You want to make sure
you have a primary policy that provides
coverage for physical damage from
cyber on an affirmative basis.”
Given the near impossibility of
gauging and defending against all cyber
exposures as the risk takes on new forms,
closing coverage gaps will be the most
critical risk management technique.
“If you are targeted by a
sophisticated group of hackers, they
will find a way in,” Harvey said. “You
have to make sure you’re properly
KATIE SIEGEL is an associate editor at
Risk & Insurance®. She can be reached at
and apply enterprise risk management.
“The best companies approach
cyber risk the same way they do
currency risk, or political unrest, or
weather risk — like any other standard
risk,” Parisi said. “Tech-based risks are
really no different that any other risk
and you need to manage them through
the normal risk management channels.
Make sure that technology risk is part
of the ERM discussion.”
Cross-functional teams including
risk management, IT, operations and
security should work with senior
executives to assess the scope of cyber
risk and develop a multi-pronged
strategy, O’Byrne said.
“Buying the newest, shiniest piece
of technology won’t necessarily solve
your exposure. Assuming that the IT
guys will somehow fix it ignores the
fact that technology has crept into
everything that we do. It’s an active risk
to be managed, not a problem to be
solved,” he said.
Patching cyber vulnerabilities
in industrial-control systems, and
separating critical control systems from
“Companies first think to
look at their GL or property
policies for coverage … but
these policies really were
not designed to respond to
—Tracie Grella, global head of cyber risk insurance, AIG
Everyone else is doing it. WHY AREN’T YOU?
Enterprise risk management is everywhere we turn these days.
Universities are using it. Corporations are using it.
And now, more and more public entities are embracing ERM.
PRIMA’s training will teach you to implement an enterprise-wide
approach to risk in your entity using the ISO 31000 standard.
Learn how to implement enterprise risk management
from the best in the industry.
Attend the upcoming PRIMA ERM Training November 14–15 San Diego, CA.
Visit primacentral.org/ermtraining to register today.