Cyber Terrorism: Does Your Insurance Cover the Gaps?

Terrorism is a growing concern for businesses, but preparations for cyber terrorism may be lacking at many organizations.

In a recent poll conducted by Marsh, more than 70% of companies responded that they are more concerned about terrorism risks today than they were three years ago. However, only 48% said they include cyber terrorism scenarios in their risk management planning.

Understanding cyber terrorism and its potential impacts should help guide your risk and insurance strategy.

For example, property damage and casualty claims from cyber terrorism events are growing risks. This is due to the increasing sophistication of bad actors to carry out attacks and the quickly expanding potential number of vulnerabilities to be exploited as more physical systems become connected online. Such factors have led one US security expert to predict it’s only a matter of time before terrorist groups launch sophisticated cyber-attacks against the United States.

Federal Programs and Terrorism Risk

Federal programs have responded to help manage terrorism risk. The Terrorism Risk Insurance Program Reauthorization Act of 2015 (TRIPRA) enables insurers to make terrorism insurance available and affordable. In addition, the Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act) provides companies a mechanism for limiting liability where plaintiffs claim that the company somehow failed to prevent an act of terrorism.

However, an act of cyber terrorism does not need to include physical damage. For example, a hacker from Kosovo recently pleaded guilty to accessing and releasing to a terrorist group the personal information of more than 1,000 US service members and federal employees. While no deaths or damage resulted from the disclosure, the breach was enough of a threat to human life to meet the federal standard for terrorism.

The Role of Cyber Insurance

Cyber insurance can address financial impacts of acts of cyber terrorism that do not involve physical damage. It can cover multiple disruptive activities against a computer system that would not require a violent or life-threatening act. Cyber insurance typically covers network security incidents regardless of the political or ideological beliefs of a non-state actor.

However, insureds must review this coverage in the context of any applicable war exclusion to understand the scope of its coverage. Working with your risk and insurance advisor:

• Review policy definitions, including what constitutes a cyber terrorism act and how lines of coverage other than cyber insurance will respond to events triggered by a cyber incident.
• Review the implications of the policy’s war exclusion, which could be narrowed by a cyber terrorism clause.
• Include cyber terrorism scenarios in your risk management planning.

Managing cyber terrorism risk is not simple, but fortunately there are an expanding array of tools and options for managing the growing risk.

For more information on terrorism risk trends, read our 2016 Terrorism Risk Insurance Report.