The Worst Case Scenario
In 2015, Lloyd’s of London and the University of Cambridge co-authored a report forecasting that a major cyberattack on the East Coast of the U.S. could result in $70 billion in claims, stressing potentially gaping deficiencies in both traditional and cyber policies to respond to such an event.
The premise of the report’s hypothetical scenario is a computer hack infecting electricity generator control rooms with malware, affecting 15 states and leaving 93 million people without power. The report predicts an attack of this magnitude could result in $1 trillion in losses, with up to $70 billion covered by insurance.
The study also outlines a variety of different policies that could be triggered by such an event. For example, a power generation company with physical damage to generators may have coverage under a traditional property policy. A food processing company with spoiled goods due to outages may trigger coverage under business interruption. Claims against the same companies by shareholders as a result of losses in market position may trigger directors and officers coverage. Along the same lines, the report emphasizes that cyber policies may not cover all possible perils that may result from a cyber-attack.
The takeaway for policyholders? Ask questions. Many policyholders (understandably) expect their cyber coverage to cover all cyber-related losses, but they may not. For instance, after an event like the one described above, you may be left with a cyber policy that excludes bodily injury and property damage, and a property policy that excludes damage as the result of a cyber event, leaving a huge hole in coverage. With the lack of standardization and the wide range of products available, attention to detail is crucial to understanding what you are getting for your premium dollars and having an outside party take a comprehensive look at your policy portfolio can be extremely valuable.