February 05, 2015 Articles

Cyber Insurance and Industrial Control Systems

The expanding market for cyber insurance may create problems insuring the risk

by Lon Berk [1]

Ironically, the expanding market for cyber insurance may create problems insuring cyber risk. One broker estimates that the demand for cyber insurance will exceed $2 billion of premium in 2014.[2] But while the market for cyber insurance may be increasing, the available coverages may be decreasing.

Much cyber insurance is focused on risks relating to the disclosure of personal information. The spate of retail store hacks—Home Depot, Target, P.F. Chang’s, and others—that resulted in stolen credit card and other consumer information, cost businesses and their insurers hundreds of millions of dollars in computer forensic expenses, legal expenses, notification expenses and credit monitoring, and other costs. There is thus good reason that policyholders and insurers have focused on managing the financial exposure of this risk.
           
But the focus on retailer risk distracts attention from other, perhaps more serious, cyber exposures. Insurers have taken steps to exclude cyber losses from coverage under their traditional, or what we will call “brick and mortar,” commercial policies and to increase marketing of their specialized cyber policies. Thus, for instance, ISO—the Insurance Services Office, a member of the Verisk Insurance Solutions Group—has taken steps to incorporate exclusions in its forms purporting to bar coverage for privacy and data breach losses, while simultaneously developing a product that provides coverage for these privacy and data breach losses.[3] The insurers’ goal appears to be to transfer coverage for privacy and data breach losses from brick-and-mortar policies to specialized insurance products. However, the exclusions used, although apparently intended to bar coverage for loss arising out of the disclosure of personally identifiable information such as those recently suffered by retailers, might be read more broadly by insurer advocates seeking to limit coverage. The result would be a restriction of available cyber insurance.

Privacy and data breach losses, however important, are only one of many cyber risks. There are other cyber risks as crippling, if not more so, to a business enterprise. In particular, there are cyber risks involving industrial control systems used to manage industrial operations. With few exceptions, the insurance market has yet to fully recognize these exposures and develop insurance products designed to address the risk. This is especially troubling with respect to infrastructure protection. In the United States, more than 90 percent of critical infrastructure is operated by private industry. It would seem that insurance for the risk arising out of its operation is imperative.

In fact, the federal government has endorsed a program under which insurance should operate as an incentive for increasing infrastructure cybersecurity. President Obama’s Executive Order 13636, Improving Critical Infrastructure Cybersecurity, concerns “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”[4] It directs the development of a set of incentives for voluntary compliance with cybersecurity guidelines, including “insurance liability considerations.”[5] The idea is that insurers would provide coverage for cybersecurity risks, would provide lower premiums for companies that satisfy cybersecurity standards, and, in addition, would be a repository for information about developing cyber risks. Indeed, government seems convinced that there is (or soon will be) a market for cyber insurance providing these services. One government publication[6] describes cyber insurance to include protection of “businesses from Internet based risks, and more generally from risks relating to information technology infrastructure and activities.” The paper discusses how cyber insurance might be used to “encourage the adoption of best practices.”

Insurers will require a level of security as a precondition of coverage, and companies adopting better security practices often receive lower insurance rates. This helps companies to internalize both the benefits of good security and the costs of poor security, which in turn leads to greater investment and improvements in cyber-security.[7]

Putting this idea into practice requires a robust market for cyber insurance products designed to protect critical infrastructure. Unfortunately, as of today, that robust market does not exist. In particular, while there are many cyber insurance policies that respond to losses associated with a privacy breach, policies that respond to other sorts of cyber risk, though available, are few and far between.

Categorizing Cyber Risk

To understand the scope of the problem, we need a framework to categorize different cyber risks. A very rudimentary one might be described as follows. Risk consists of two factors: a cause and a loss. The cause might, for example, be the negligent manufacture and sale of a defective product and the loss might be a bodily injury to a consumer; or the cause might be an explosion and the loss might be the interruption of a manufacturing facility’s operations; or the cause might be a hacked computer system and the loss might be the publication of confidential information. Businesses obtain financial protection against these risks in a variety of ways, one of which is to obtain insurance protection. Because there was little focus on cyber risk, as distinct from “brick and mortar risk,” the natural expectation was that all risks, both cyber and brick and mortar, could be financially transferred under some collection of traditional insurance policies. However, as the extent of cyber risk expanded over the most recent decades, insurers began interpreting their traditional policies more narrowly to exclude cyber risk while at the same time developing and marketing specialized products to address the risk.

There is a problem with this strategy. The scope of cyber risk and the distinction between a cyber risk and a brick-and-mortar risk are not clear, even if we assume that a clear distinction can be made between a cyber event and a physical event.[8] The issue might be depicted in the following table:

 

Cause

Loss

1

cyber

cyber

2

brick and mortar

cyber

3

cyber

brick and mortar

4

brick and mortar

brick and mortar

Each row represents a different type of risk. For instance, a type 1 risk displayed in row 1 would be a cyber loss (for instance, the loss of electronic data) resulting from a cyber event (for instance, the uploading of memory-scraping malware). In contrast, a type 4 risk shown in row 4 would be a brick-and-mortar loss (for instance, the destruction of a warehouse) caused by a brick-and-mortar event (for instance, a fire). Perhaps type 1 risks can be categorized as cyber risks and type 4 risks categorized as brick-and-mortar risks. But how are we to categorize the risks shown in rows 2 and 3? These type 2 and 3 risks include cyber losses (such as the loss of electronic data) caused by brick-and-mortar events (such as the stealing of a laptop) and brick-and-mortar losses (such as an explosion) caused by a cyber event (such as the failure to properly configure a computer controlling a sprinkler system).

Comparing the Ingram Micro[9] decision from the U.S. District Court in Arizona with the America Online[10] decision from the Eastern District of Virginia underscores the issue. In Ingram Micro, the policyholder had purchased a business interruption policy. The policyholder used a worldwide computer network to track its customers, products, and daily transactions and to process all its orders. Its “entire business operation depends upon the proper functioning of [the system].”[11] The system was primarily maintained and operated at a data center. On December 22, 1998, a power outage caused by a ground fault in a fire alarm panel stopped all electronic equipment at the center from working. The company’s mainframe computers lost all programming information that had been stored in random access memory, and before operations could begin again, the system had to be reconfigured. As a result, Ingram’s business was interrupted and it lost income.

The insured looked to its business interruption policy for coverage. Although the policy insured all of Ingram’s computer system,[12] the insurer contended that there was no damage and that Ingram’s business loss was uncovered. According to the insurer, the loss of configurations did not constitute physical loss. The court disagreed with the insurer and found that the policy coverage “is not restricted to the physical destruction or harm of computer circuitry. . . .”[13]

At a time when computer technology dominates our professional as well as personal lives, the Court must side with Ingram’s broader definition of “physical damage.” The Court finds that “physical damage” is not restricted to the physical destruction or harm of computer circuitry but includes loss of access, loss of use, and loss of functionality. [14]

Ingram Micro involved a type 2 risk. It involved a power outage—a brick-and-mortar event—causing the loss of programs and configurations—a cyber event.

In contrast to Ingram Micro, the America Online decisioninvolved a different sort of risk. In that case, the policyholder, AOL, distributed an upgraded program to customers. The upgrade allegedly resulted in computer crashes and corruption of data files. A series of consumer claims followed. When AOL sought coverage for these claims, the insurer disclaimed, contending that computer crashes and file corruption were not damage to tangible property and, in any event, did not result in physical damage to the computers; consequently, the losses either fell outside the policy’s insuring agreement or were barred by the impaired property exclusion. The court agreed.[15] The risk at issue in America Online was a type 1 risk involving a cyber cause, uploading a program, and a cyber loss, corruption of data files and interference with computer operations. The court found that risk, unlike the type 2 risk at issue in Ingram Micro, was not covered by the brick-and-mortar policy.

Cyber Insurance

Most cyber insurance policies appear written to apply to type 1 risks; that is, a cyber loss resulting from a cyber event. As an example only, we can take the following terms of a cyber insurance form. The form first defines a “computer system” to be

Computer hardware, software applications and tools (including licensed software), middleware, Websites, and related electronic backup, but only if owned or leased, and operated, by the Insured Entity and connected to the Insured Entity’s computer network. Computer Systems do not include any computer hardware (including laptops, smart phones, memory devices or personal digital assistants), software applications and tools (including licensed software), middleware, Websites, and related electronic backup that are not connected to the Insured Entity’s computer network.[16]

The form then insures these systems against

Damages and Defense Costs on behalf of the Insured which the Insured shall become legal obligated to pay as a result of a Claim first made during the Policy Period, or Extended Reporting Period, if applicable, against the Insured alleging a Data Privacy Wrongful Act or a Network Security Wrongful Act, by the Insured, which takes place during or prior to the Policy Period.[17]

It defines a data privacy wrongful act to be

 

any negligent act, error or omission by the Insured that results in:
(1) the improper dissemination of Nonpublic Personal Information; or
(2) any breach or violation by the Insured of any Data Privacy Laws.[18]

 

It defines a network security wrongful act as

any negligent act, error or omission by the Insured resulting in Unauthorized Access or Unauthorized Use of the Computer System. . . .[19]

Where triggered, the policy provides reimbursement of narrowly specified expenses, including expenses relating to notification of affected consumers and credit monitoring, expenses related to public relations and crisis management, regulatory expenses relating to data privacy, and cyber investigation expenses.

The policy form appears suited to cover such type 1 risks as the recently publicized attacks on retailer networks. For example, the Target breach reportedly resulted by a hack into a third-party heating, ventilation, and air conditioning vendor, whose credentials were then used to break into the retailer’s network on about November 15, 2013. The hackers then uploaded malware—called “BlackPos”—between November 15 and November 28, using the period to be sure that the malware was functioning correctly, and by December 15, 2013, offloaded debit and credit card information, using several compromised servers in the United States and elsewhere, before transferring it to Russia.[20] Apparently, the malware went undetected by Target due to a configuration of its malware detection program.[21] A claim for negligence against Target arising from this circumstance would therefore be a negligent act, error, or omission by Target resulting in unauthorized access and use of Target’s computer system. The expense of managing the crisis, notifying consumers, and setting up credit monitoring would be covered as well.

The form does not appear suited for all type 1 risks. For instance, it is unclear that the risk at issue in America Online, even though type 1, would fall within the coverage provided by such policies. What is perhaps more important, such policies do not appear designed to address type 2 and 3 risks such as those presented by industrial control systems.

What about Industrial Control Systems?

As already noted, type 1 risks are not the only risks arising out of the use of computer systems. There are type 2 and 3 risks as well. This is particularly true of policyholders looking to cover risks arising out of industrial control systems (ICSs).[22] These are the networks used to monitor and control industrial operations and make up the backbone of critical infrastructure. They generally comprise a business network, a supervisory network, and process and control networks.[23] Unlike commercial networks, they can be operated over broad outside geographies and in uncontrolled climates. These systems represent a significant source of type 2 and type 3 risks.

Historically, it was thought that ICSs were “air-gapped” and therefore not a significant source of cyber risk. But that view has been discredited as obsolete. More and more industrial networks are being connected to commercial networks as businesses look for real-time reports on production. Further, the systems are increasingly using Internet-based communication. ICS components are often connected to the Internet and, as a result, can be subjected to malicious code. There is in fact a search engine that permits one to locate ICS components that are connected to the Internet, and researchers using this tool have found numerous ICS components on the Internet. [24]

Further, even if an ICS component is not directly connected to the Internet, many systems share components with systems that are open to the Internet. For example, a company may share a router with its email server and its main terminal unit; while the main terminal unit may be unable to receive and send emails through that router, a compromise of the router through the email server can be a compromise of an ICS. In addition, malicious code can be and has been uploaded directly onto ICS components through USB, or universal serial bus, devices and computers used to program or update ICS software. Indeed, many ICSs communicate wirelessly and can be subjected to man-in-the- middle attacks, like any device communicating over a wireless network. In short, ICSs are subject to the range of cyber risks—malware, denial-of-service attacks, and others—that systems directly connected to the Internet are subject to.

As an example, consider a very simple ICS that controls traffic lights in a very small town that has just three traffic lights. It might consist of three regional terminal units, one at each traffic light, and a main terminal unit at police headquarters. The main terminal unit can be used to upload new software to the regional terminal units, to monitor data regarding traffic detected at each unit, and to adjust the timing of the traffic lights as needed to respond to different traffic conditions. A hacker can obtain access to the ICS through these network connections and, perhaps, interfere with the traffic system. If the regional terminal units are connected to the main terminal unit through a wireless system, for example, the hacker might be able to do this without physically connecting to the network, through a wireless man-in-the-middle attack. Thus, even though this ICS is wholly separate from any other network, it is subject to cyber risks. And it does not take much imagination to conjure up a very serious type 3 risk involving the system.[25]

ICSs thus represent a significant source of type 3 risks. They also represent a type 2 risk. Among other things, the fact that these systems can spread over a geographically wide area creates a physical security risk. On pipelines, for instance, flow detectors may be located miles from any operators in isolated geography. There may therefore be physical intrusions into the components of these systems during which attackers reprogram or otherwise alter their operation, causing loss; or components of the system might be damaged or destroyed. ICS risks include the following actual incidents.

· In 2000, a disgruntled man in Australia, having been rejected for a government job, allegedly used a radio transmitter to alter electronic data within sewerage pumping stations, causing the release of 200,000 gallons of raw sewage into nearby rivers.[26]

· In 2007, an experiment by white-hat hackers demonstrated that they could hack into a controller and open and close breakers on a diesel generator, causing an explosive failure.[27]

· During the summer of 2009, instrumentation used in Iran’s nuclear developments were famously disabled by malware called “Stuxnet.”[28]

The Trouble with Cyber Insurance

There is language in some cyber insurance forms that an aggressive insurer advocate might use to argue that the type 2 and type 3 risks arising out of ICSs are not covered, unlike the type 1 retail risks. To the extent insurers intend to exclude these risks from their more traditional policies and underwrite cyber risks under their specialized products, these arguments should fail and are inconsistent with insurers’ and policyholders’ intent. However, in high-stakes coverage disputes, aggressive advocates may be able to use these aspects of the policies to reduce the value of the insurance sold. As one example, consider the definition of “computer system” quoted above. It excludes

any computer hardware (including laptops, smart phones, memory devices or personal digital assistants), software applications and tools (including licensed software), middleware, Websites, and related electronic backup that are not connected to the Insured entity’s computer network. [29]

The language has not been tested in any litigation. But it is not difficult to conceive of an aggressive insurer arguing that an ICS is not “connected to the Insured entity’s computer network” and, in fact, falls within the above exclusions. As noted, an ICS is often thought to be “air-gapped” and separate from the Internet. An insurer advocate might use this belief to support his or her contention that this exclusion applies. If such an argument were accepted, exposures arising out of an ICS would fall outside the policy’s coverage. For this reason, although the argument would likely fail, a prudent policyholder seeking coverage for ICS risks should seek to eliminate such provisions from the policy.

In addition, some forms include exclusions that may be of concern to those operating critical infrastructure as they can be used to argue that coverage for type 2 and 3 risks is barred. For instance, some forms exclude from coverage loss or claims caused by “any fire, smoke, explosion . . . or any other physical event, however caused,”[30] and any loss in any way related to “any Bodily Injury or Property Damage. . . .”[31] An ICS may be subject to and may cause precisely these sorts of risks. As one example, consider the recently reported attack on the Metcalf electrical substation.[32] Snipers opened fire on the substation and surgically disabled 17 transformers, requiring grid officials to reroute power around the site. It is not difficult to imagine such attacks causing power outages with cyber losses such as those at issue in Ingram Micro. Yet, coverage for these type 2 losses would arguably be precluded by the exclusions.

Conversely, it is not difficult to imagine saboteurs breaking into substations and uploading malware onto components used to monitor operations there. If power outages were to result in physical loss, a type 3 loss, an insurer advocate would likely rely on these exclusions to eliminate coverage under the policy. Again, whether such arguments would succeed is be a matter likely to be resolved through litigation.

 

The war exclusion also presents issues regarding coverage for ICS risks. Some forms bar coverage for losses resulting from “any war, invasion, acts of foreign enemies, hostilities or warlike operations (whether war is declared or not), strike, lock-out, riot, civil war, rebellion, revolution, insurrection, civil commotion assuming the proportions of or amounting to an uprising, military or usurped power.”[33] Yet, many of the attacks on critical infrastructures have been traced to foreign state operators, and the risks to these systems therefore may fall within the war exclusion as well.[34]

Conclusion

During the past decade, there has been increased attention on insuring cyber risks. For the most part, insurers have been attempting to shoehorn cyber risks into specialized products and to exclude the risks from more traditional policies. Unfortunately, for the most part, these specialized products mostly address what we have called type 1 risks, and only a subset of them. It is likely that litigation will be required to determine whether the new exclusions eliminate coverage for type 2 and type 3 risks under standard polices and whether these risks are covered under specialized products. Given the need for cyber insurance that protects ICSs, a large question hangs over the cyber insurance market. Policyholders and their advocates, as well as government agencies, hoping to use that market to transfer cyber risk or to develop cybersecurity incentives, need to look closely at the sorts of products being sold and evaluate whether they adequately protect against cyber exposures.

Keywords: cyber insurance, cyber security, Industrial control systems, scada

Lon Berk is with Hunton & Williams LLP in McLean, Virginia, and New York City.


[1] Lon Berk is a partner at Hunton & Williams LLP, where he concentrates on assisting insureds maximize coverage for cyber risks.
[2] The head of Marsh’s network security and privacy practice estimates that sales of cyber insurance are set to double from $1 billion. Noah Buhayar, Sarah Jones & Zachary Tracer, “P/C Insurers Rush to Meet Rising Demand for Cyber Insurance,” Ins. J., Oct. 9, 2014.
[3]ISO Comments on CGL Endorsements for Data Breach Liability Exclusions,” Ins. J., July 18, 2014.
[4] Exec. Order No. 13636, 3 C.F.R. 11739 , § 2 (2013) .
[5] Dep’t of Homeland Sec. Integrated Task Force,Executive Order 13636: Improving Critical Infrastructure Cybersecurity, Incentives Study Analytic Report(June 12, 2013) .
[6] Larry Clinton, Internet Security Alliance, Cyber-Insurance Metrics and Impact on Cyber-Security.
[7] Clinton, supra note 6, at 1.
[8] In point of fact, it is very difficult to understand what this distinction amounts to. It appears to be one relied on by insurers on occasions when it makes little sense. As one judge put it,

a computer stores information by the rearrangement of the atoms or molecules of a disc or tape to effect the formation of a particular order of magnetic impulses, and a “meaningful sequence of magnetic impulses cannot float in space. It is the fact that the erasure was a “direct physical loss” that enables [the policyholder] to recover under the policy. . . .

NMS Servs. Inc. v. Hartford, 62 F. App’x 511 (4th Cir. 2003) (Widener, J., concurring).
[9] Am. Guar. & Liab. Ins. Co. v. Ingram Micro, Inc., No. CIV 99-185 TUC ACM, 2000 U.S. Dist. LEXIS 7299  (D. Ariz. Apr. 18, 2000).
[10] Am. Online, Inc v. St. Paul Mercury Ins. Co., 207 F. Supp. 2d 459  (E.D. Va. 2002).
[11] Ingram Micro, 2000 U.S. Dist. LEXIS 7299 , at *3.
[12] Ingram Micro, 2000 U.S. Dist. LEXIS 7299, at *3
[13] Ingram Micro, 2000 U.S. Dist. LEXIS 7299, at *6.
[14] Ingram Micro, 2000 U.S. Dist. LEXIS 7299, at *6.
[15] America Online, 207 F. Supp. 2d at 463–64. The insuring agreement required damage to or loss of use of tangible property. Although the court found the computers to be tangible property, it found the program to be a defective product and therefore concluded that coverage was barred by the impaired property exclusion, which, very roughly, bars coverage for loss of use of property other than the policyholder’s product that was not physically damaged.
[16] Hartford DP 00 H0003 00 0312 (©2012 by The Hartford), at 3, III(E). The form at issue is used only as an example. Other forms have similar issues.
[17] Hartford DP 00 H0003 00 0312, at 1, I(A).
[18] Hartford DP 00 H0003 00 0312, at 5, III(N)(1)(2).
[19] Hartford DP 00 H0003 00 0312, at 7, III(CC).
[20] SeeTarget Hackers Broke in Via HVAC Company,” KrebsOnSecurity (Feb. 14, 2014) . A version of the same malware was apparently used in another recent hack of another retailer. SeeHome Depot Hit By Same Malware as Target,” KrebsOnSecurity (Sept. 14, 2014) .
[21] Michael Riley, Ben Elgin, Dune Lawrence & Carol Matlack, “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” Bloomberg Businessweek (Mar. 13, 2014).
[22] The precise terminology to use to refer to industrial systems is not evident. I will use the term “industrial control systems” very broadly to refer to all industrial networks, including supervisory control and data acquisition (SCADA).
[23] Eric D. Knapp, Industrial Network Security: Securing Critical Infra structure Networks for Smart Grid, SCADA and Other Industrial Control Systems 7 (Syngress 2011).
[24] See the website of a company called Shodan.
[25] See, e.g., Lee Hutchinson, “Researchers Find It’s Terrifyingly Easy to Hack Traffic Lights,” Ars Technica (Aug. 20, 2104).
[26] Knapp, supra note 23, at 36.
[27] Knapp, supra note 23, at 36, 37.
[28] Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” Wired (Nov. 3, 2014).
[29] Hartford DP 00 H0003 00 0312 (©2012 by The Hartford), at 3, III(E).
[30] Hartford DP 00 H0003 00 0312, at 10, IV(A)(13).
[31] Hartford DP 00 H0003 00 0312, at 10, IV(B)(1).
[32] Rebecca Smith, “Assault on California Power Station Raises Alarm on Potential for Terrorism,” Wall St. J. (Feb. 5, 2014).
[33] Hartford DP 00 H0003 00 0312, at 10, IV(A)(13).
[34] See, e.g., Patricia Zengerle, “NSA Chief Warns Chinese Cyber Attacks Could Shut U.S. Infrastructure,” Reuters (Nov. 21, 2014).

Copyright © 2015, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).