Cyberattacks that cause physical damage to property, such as equipment breakdowns and fires, are relatively infrequent but can leave policyholders with gaps in coverage.

Many traditional insurance policies exclude cyber property coverage, leaving businesses potentially exposed to costly financial and operational losses, experts say.

Some insurers, though, have added property coverage clauses to cyber policies.

Businesses increasingly rely on interconnected systems and operational technology, and the risk of cyber incidents causing physical damage or bodily injury is rising, said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber practice.

Policyholders are concerned about whether their traditional insurance or cyber policies cover such events, Mr. Farley said.

Cyber insurance is often marketed as comprehensive, but many policies exclude coverage for physical property damage, said Joshua Gold, a shareholder in law firm Anderson Kill’s New York office.

“The concern for policyholders is that they then look to their property insurance policies to cover them, and perhaps their general liability policies. But more and more, you’re seeing either exclusions for cyber in some of those policies, or else you’re seeing sublimited coverages, which, as we all know, can basically act as an exclusion,” Mr. Gold said.

Traditional cyber insurance policies typically exclude bodily injury and property damage because the policies were designed to cover financial losses, said Michelle Chia, New York-based chief underwriting officer, cyber, Americas, for Axa XL.

Organizations now depend on digitally connected assets, and their risks and exposures have expanded, shifting expectations about what insurance policies should cover, Ms. Chia said.

Coverage for cyber property incidents became an issue after 2017, when cyberattacks like WannaCry and NotPetya caused extensive operational and systems damage to businesses. The attacks exposed the so-called “silent cyber” risk in traditional property policies, prompting insurers to clarify their coverage. Many property insurers added cyber exclusions or sublimits. Also, in 2014, a German steel mill was the target of a cyberattack when hackers successfully took control of the production software, causing material damage to the site.

Generally, property insurers don’t want to be in the cyber coverage business, said Gregory Mann, Atlanta-based U.S. property placement leader for Marsh.

“Are there some writebacks as far as resulting damage for fire and explosion? There are … Are there some expansions past that? There are,” Mr. Mann said. Some property insurers offer broader coverage, he said.

FM covers physical damage from cyberattacks up to the policy limit, said Wade Chmielinski, Johnston, Rhode Island-based vice president and hazards manager at the insurer.

Coverage is provided as part of FM’s property policy, and policyholders are not required to have specific cybersecurity controls in place, though “in the future, that could change,” Mr. Chmielinski said (see related story below).

Originally, cyber policies excluded property damage, and exclusions still exist, said Gregory Eskins, Miami-based global cyber product leader at Marsh. But the cyber insurance market has evolved to “fill the gap that has been left by the lack of appetite within the property market,” Mr. Eskins said.

While cyber markets haven’t traditionally covered physical damage, they do now, said Robert Parisi, New York-based head of cyber solutions-North America at Munich Re.

“It’s typically an extension, an additional bit of underwriting to ask some property-like questions. What’s your TIV, what’s your inventory?” Mr. Parisi said.

In the London market, it’s “relatively inexpensive” to get affirmative coverage added to a cyber program or carved back to the property program, said Ryan Griffin, Chicago-based U.S. cyber leader at McGill and Partners.

Interest in the coverage fluctuates based on market cycles and premium costs, he said.

Beazley recently launched a cyber coverage extension for physical damage, targeting large multinational companies, said Melissa Carmichael, New York-based head of U.S. cyber for the insurer. Up to $100 million in limits are available for a single risk under Beazley’s Quantum facility, Ms. Carmichael said.

Some cyber policies cover bodily injury and physical damage, but solutions don’t exist for every business size in every industry, said Scott Bailey, London-based head of global cyber underwriting at CFC.

For example, a cyberattack causing a catastrophic explosion at an energy plant with a total insured value of $1.5 billion would create a coverage gap. “You probably can’t get the cyber market to cover 100% of that loss,” because cyber insurers typically take smaller line sizes, Mr. Bailey said.

“The property/casualty market could cover that sort of sum insured in a blink of an eye, but you’d have to find enough P&C insurers with appetite to agree to cover cyber as a peril,” he said.

There can be some misconceptions about coverage and where property damage caused by cyber events should be covered, said Dan Law, head of the cyber practice at Hartford Steam Boiler Inspection & Insurance, part of Munich Re.

“Should events be covered on a property policy? Should they be covered on a cyber policy? Is it an appropriate mechanism to do it?” Mr. Law said.

---

Companies should act to reduce threat exposure

Businesses should actively work to minimize their exposure to cyber threats, especially those that could cause significant physical damage and disrupt operations, insurance experts say.

“Cyber threats have moved from the back rooms of the IT department to the machine room floor of the manufacturing plant,” said John Farley, New York-based managing director of Arthur J. Gallagher & Co.’s cyber practice.

Insurers are increasingly focused on whether information technology and operational technology systems are segregated and whether there is strong cyber hygiene around them, Mr. Farley said.

“If there is no proper segregation or cyber management around those two systems, an attack on IT can lead to an attack on operational technology, leading to equipment failures, fires, bodily injury,” he said.

Traditionally, cyber underwriters assess a company’s information technology network and overall risk posture, said Scott Bailey, London-based head of global cyber underwriting at CFC.

Operational technology operates machinery and infrastructure, making it vulnerable to cyberattacks that cause industrial damage, Mr. Bailey said.

“Some advocate disconnecting your operational technology from the internet because it’s the lowest-risk strategy. That’s clever, but seems a bit backwards in a world where the internet’s enabling so much global connectivity,” he said.

Operational technology can be connected to the internet, but with that comes more risk, he said.

The frequency of cyber events causing physical damage is hard to model because there are few historical examples, said Marco Lo Guidice, head of catastrophe modeling at Cyberwrite.

“Heightened political instability generates the conditions for these things to happen more often,” Mr. Lo Guidice said. Industry research has shown that cyberattacks causing physical damage are more likely during periods of political instability due to state-sponsored cyber warfare often targeting critical infrastructure like power grids and financial systems.