Many an unhappy modern tale arises when a cyber-predator suggests to his victim that they transition their dealings from the virtual world to a meeting “IRL” – “in real life.” But the perils that arise when the internet meets the “real world” are not limited to vulnerable individuals: advances in technology, coupled with the ingenuity of malefactors, create the real risk that acts taking place wholly within cyberspace can have substantial impacts “in real life” – in the outside world – that go well beyond the loss of data or computer functionality. The best-known example is the STUXNET virus, which seized control of Iran’s nuclear centrifuges and caused them, in effect, to commit mechanical suicide. Nearly as well-publicized was the 2014 cyber-attack on a German steel mill, which prevented a blast furnace from properly shutting down, reportedly causing massive damage. Any commercial entity who relies on internet-connected systems to control the operation of physical assets (such as manufacturing companies or utilities), and any entity that manufactures or distributes internet-connected products, is potentially at risk.
The risks go beyond the threat of damage to one’s own property: malicious computer activity could cause damage to third-party property or, worse yet, bodily injury or death. Many readers will recall the 2015 event (staged by “white hat” hackers) showing that a motor vehicle could be remotely disabled while traveling on a highway. It is not hard to imagine that similar vulnerabilities could provide an entrée for hackers to precipitate catastrophic accidents. Imagine what would happen, for example, if hackers remotely caused cardiac pacemakers to speed up patients’ heart rates to dangerous levels (this was the mechanism used, fictionally, to dispatch a victim in a 2013 episode of the TV show “Elementary”). As the “internet of things” becomes more prevalent, the risk grows commensurately. And the consequences of even minor disruptions (for example, the remote manipulation of an Internet-connected refrigerator that causes food spoilage) can be substantial when aggregated across thousands of products (through class action lawsuits or otherwise).
Faced with these sorts of losses, businesses and individuals would justifiably look to their insurance for coverage. After all, what is insurance for if it is not to protect against unexpected risks of damage or injury? Unfortunately, but not surprisingly, insurance coverage for these risks – both first-party property insurance to cover loss to one’s own property, and third-party liability insurance to cover one’s legal obligations to others – remains unclear.
For example, when faced with a third-party claim seeking to impose liability for bodily injury or property damage, most policyholders would turn to their commercial general liability (CGL) insurance, the backbone of most corporate insurance programs. But the standard-form CGL policy was (as of 2004) rewritten to exclude “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access, or inability to manipulate electronic data.” (Some – but not all – CGL policies incorporate a subsequent refinement restoring coverage for bodily injury.) See generally Insurance Services Office, Endorsement CG 21 06 05 14 & Endorsement 21 07 05 14.
The clear intent of the exclusion was to preclude coverage for more typical “cyber risks,” such as loss of data or computer functionality. Even so, some courts in other contexts have taken an unreasonably broad view of the inherently-vague phrase “arising out of,” which could lead those courts to give the exclusion a scope that it was not intended to have, an interpretation that violates policyholders’ reasonable expectations and unjustifiably narrows what is supposed to be broad coverage. Such courts, for example, could conclude that the remote hacking of an automobile’s engine that causes an accident “arose out of” the “corruption” of “electronic data.”
Coverage for first-party losses is equally uncertain. While most commercial property programs presumptively cover “all risks of physical loss or damage,” a variety of exclusions may take away with the left hand what the right hand has just given. For example, one London Market property insurance form excludes all “loss, damage, destruction, distortion, erasure, corruption or alteration of ELECTRONIC DATA from any cause whatsoever,” or loss of use, cost or expense “of whatsoever nature resulting therefrom, regardless of any other cause or event contributing concurrently or in any other sequence to the loss,” unless fire or explosion ensues.
This might then lead a policyholder to ask “won’t cyber-insurance protect me?” Even there the answer is not clear. Most currently-available cyber insurance policies exclude coverage for third-party claims alleging bodily injury or property damage, ostensibly because these risks are already covered by commercial general liability (CGL) insurance (an assumption that might be unwarranted, as noted above). Some insurers are now marketing supplemental cyber “difference in conditions” coverage intended to fill the gap, but until these questions have been addressed in court, this coverage may be an expensive and unnecessary redundancy.
In some cases, this might not be a concern: insurers depend upon new and renewal business, and so face certain practical constraints in how aggressive they can be in rejecting legitimate policyholder claims. If the loss is large enough, however, an insurer may be strongly tempted to engage in so-called “retrospective underwriting,” an exercise in “Monday morning quarterbacking” in which its claims staff pores through the policy looking for some textual excuse – any excuse – to deny coverage for a risk that the insurer and its customer both intended to be covered, but that has now turned out to be unprofitable.
What then should policyholders do? As in most cases, “forewarned is forearmed”:
- At the risk of restating the obvious, policyholders should review their risk profile, to identify potential risks before they ripen into losses.
- Policyholders should review their existing coverages to determine whether there is an acceptable margin of protection for the risks that have been identified. This exercise should focus not only on what the policy says clearly, but should also consider how an insurer might be tempted to rewrite the terms of the deal retroactively by creatively arguing that policy language narrows or precludes coverage. (This analysis should also consider which states’ laws may apply in the event of a coverage fight, since the laws of the different states and their receptiveness or hostility to policyholder claims can vary considerably. For example, Virginia is notoriously pro-insurer, while Washington is decidedly pro-policyholder.)
- Armed with the results of these analyses, policyholders may wish to consult insurance markets to obtain more peace of mind – if it can be obtained at a reasonable price and on reasonable terms. In some cases, policyholders with sufficient market power may be able to negotiate endorsements confirming or restoring the coverage that they intend to have. In other cases, policyholders may be able to obtain this protection using additional “off the shelf” insurance products, albeit at extra cost.
In each of these endeavors, the assistance of experts – brokers, coverage counsel, cyber-risk analysts, and the like – may be useful or even necessary.
In short, cyber risks “in real life” are indeed real, and existing insurance products may offer incomplete (or even illusory) protection, but some advance thought and effort may mitigate those risks substantially.
 At the risk of a discursion into nuances of insurance coverage, a broad construction of the inherently-ambiguous phrase “arising out of” is appropriate when it appears in a policy term granting or extending coverage, because ambiguities should be construed against the insurer (as a professional risk-taker who wrote the language at issue) and in favor of the policyholder (who was presented with boilerplate language as a fait accompli, and who is relying on the insurance at a time, after the loss has taken place, when it cannot obtain substitute coverage at any price). Such a broad construction is inappropriate, however, when the phrase appears in an exclusion, since exclusions must be construed narrowly to effectuate an insurance policy’s dominant purpose (providing coverage for unexpected loss or damage).