We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Internet of Things Attack Shines Spotlight on Insurance Coverage Issues

Posted by Thomas Quigley October 26, 2016

Baby monitors. Home routers. Digital video recorders. These were among the devices used to overload an internet infrastructure company in an unprecedented distributed denial of service (DDoS) attack that brought down several popular websites last week (October 21). The use of simple devices connected to the Internet of Things (IoT) marks a turning point for cyber-attacks, which continue to grow in sophistication and virulence.

Such events raise many risk management questions for communications, media, and technology companies — indeed all companies — in a number of areas, including how insurance will respond.

And yet, about half of risk professionals say they are unsure whether their organizations fully understand how their insurance coverages will respond to losses from a cyber-event. That’s according to a survey taken during Marsh’s recent The New Reality of Risk® webcast, just two days before the IoT attack.

Gaps in Coverage

For example, one coverage area that companies need to understand in such situations involves contingent business interruption (CBI). Manipulating devices to conduct the recent DDoS attack undoubtedly interrupted business and caused revenue loss for some companies, highlighting the need to understand what CBI covers.

Losses from such attacks could affect several insurance lines, including cyber, property, and casualty. How business interruption and CBI losses are covered will largely depend on your insurance program structure.

Property and casualty insurers generally provide coverage for some cyber exposures — depending on specific circumstances — and cyber insurers are broadening and enhancing risk transfer options. As a result, it’s important to look at all three coverage areas in relation to a cyber-attack that disrupts your operations.

In the event of an outage from one of your service providers, consider:

  • The amount you will be reimbursed by your service provider if its outage causes you to lose revenue.
  • How your insurance program will respond if you lose revenue due to the outage.
  • The indemnification agreements and other details in your contract with the provider.
  • The terms, conditions, and exclusions in your policies to help you understand whether the loss is covered.
  • Standalone cyber insurance policies, which can provide coverage, absent physical damage, for business interruption, extra expense, and CBI.

Companies with IoT connectivity in their products should explore potential liability scenarios emanating from product failure.

Work with your insurance advisors to understand the losses by examining current claim scenarios to determine how they might impact your operations. Such information can help ensure you are better prepared if a service provider’s outage were to affect your business.

Thomas Quigley

Communications, Media & Technology, US Practice Leader