We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Property Risks From Cyber-Attacks: Are You Covered?

Posted by Michael Rouse May 10, 2016

Despite being a known risk, cyber-attacks continue to present the kind of challenges associated with emerging risks, according to the 2016 Excellence in Risk Management survey from Marsh and RIMS. Cyber-attack was named most frequently by risk professionals (61%) as the area from which their next critical risk would emerge.

First-Party Risks

One manifestation can be seen in how cyber risks have moved beyond data and privacy breaches: Attacks now can damage your systems and disrupt operations, raising questions about insurance coverage. For example, if hackers erase the manufacturing code from your network, halting your manufacturing operations, are you covered for first-party cyber risk?

Consider ransomware, a form of malware that threatens to erase your company’s data if you don’t pay off cybercriminals. An attack could cause a significant interruption to your operations. Such operational risks have spurred organizations to question whether there is a coverage gap related to cyber-attacks that may result in property damage and business interruptions.

Check Your Policy

Coverage addressing first-party cyber risks is evolving quickly. It’s important to know that even if your property insurance policy includes physical or non-physical damage coverages, it does not necessarily mean you’re covered for first-party losses from cyber-attacks.

How coverage will respond largely depends on how your policy is structured. Checking the terms, conditions, and exclusions can help you understand whether the loss is covered, and to know how your property policy may:

  • Limit coverage to damage to and/or loss of use of tangible property resulting from physical damage.
  • Cover a cyber-attack resulting in physical damage and resulting damages from a peril that is not excluded.
  • Trigger coverage in the event that the attack is not directed at the insured, which can bring in elements of contingent coverage.

Standalone cyber insurance policies can provide coverage, absent physical damage, for business interruption, extra expense, and contingent business interruption.

Take Care of Your Data

Property insurance policies typically have not covered damage to data or software unless there was physical damage, although some insurers now expressly provide coverage. However, several insurers specifically exclude coverage for damage to data or software.

Take these steps to help safeguard data and software:

  • Keep all software up to date.
  • Back up all files regularly.
  • Educate your employees to identify potentially dangerous emails and to not open attachments or click on links in unsolicited emails.

More organizations are looking to close the potential gap in business interruption coverage between property and cyber policies. As cyber risk continues to present as an emerging risk, you can keep abreast of the changes by working with your insurance advisor to carefully review how your insurance covers damaged data/software and business interruption costs.

Related to:  Property , Cyber Risk , Cyber Risk

Michael Rouse

US Property Practice Leader