Physical property damage from cyber incidents: Implications for insurers

The traditional distinction between cyber and physical risks is rapidly dissolving. Whilst cyber insurance initially addressed purely digital losses - data breaches, network outages, and ransomware - the landscape has fundamentally shifted. 

Cyber incidents are increasingly causing tangible physical property damage, creating significant challenges for insurers who have historically treated these as separate domains.

The evolution of cyber-physical risk

From digital to physical

As operational technology (OT) and information technology (IT) systems have become increasingly interconnected, cyber attacks can now directly impact physical infrastructure and assets. Industrial control systems, building management systems, and critical infrastructure are all vulnerable to cyber intrusion with physical consequences.

Notable incidents

Several high-profile incidents have demonstrated this capacity:

• The 2017 Triton/Trisis Attack targeted a Saudi Arabian petrochemical facility's safety systems with potential for catastrophic physical damage and loss of life, demonstrating the vulnerability of industrial safety systems.
• Ukrainian Power Grid Attacks (2015 and 2016) caused physical power outages affecting hundreds of thousands, demonstrating the ability to manipulate physical systems remotely.

Emerging risk scenarios

Lloyd's of London estimates that a major cyber attack on critical infrastructure could cause economic losses comparable to natural catastrophes, potentially reaching hundreds of billions of pounds. The interconnected nature of modern infrastructure means a single cyber incident could cascade across multiple sectors.

Insurers must now contemplate scenarios including:

• compromised smart building systems causing physical damage through manipulation of HVAC or fire suppression systems;
• cyber vulnerabilities in autonomous vehicles resulting in physical collisions; 
• attacks on connected medical equipment causing harm and infrastructure damage; and
• cyber manipulation of manufacturing processes producing defective products.

Implications of physical property damage from cyber incidents

1. Policy wording and coverage disputes

The ambiguity surrounding cyber-physical damage has created potential coverage disputes:

• Traditional property policies were drafted without contemplating cyber-induced physical damage. 
• Many cyber policies explicitly exclude physical property damage, assuming coverage under property policies.
• Many existing policies contain neither explicit coverage nor exclusions, creating uncertainty. Recent regulatory responses have pushed insurers to require clear affirmative coverage or exclusions.

2. Claims handling complexity

When cyber incidents cause physical damage, claims become significantly more complex:

• Determining whether physical damage was caused by a cyber incident or other factors requires specialist forensic investigation.
• A single incident might trigger claims under multiple policies, requiring coordination across insurers.
• Claims handlers need both cyber security knowledge and traditional property damage assessment skills.
• Identifying and pursuing responsible parties is far more difficult than in traditional property claims.

3. Increasing frequency and severity

All indicators suggest cyber-induced physical damage will become more frequent and severe due to growing IoT connectivity, sophisticated threat actors, and systemic vulnerabilities in common software platforms.

What this means for insurers

The cost of physical property damage from cyber incidents represents a fundamental challenge to traditional insurance models. This convergence creates significant challenges across underwriting and claims handling.

Marsh reported recently that the cost of cyber breaches on operational technologies such as industrial control systems is far higher than previously understood (£31bn annually).

Cyber-physical risk is neither purely cyber nor purely property - it is a distinct risk category requiring integrated approaches, cross-disciplinary expertise, and continuous adaptation to an evolving threat landscape.

Insurers who treat cyber-physical damage as an afterthought risk significant losses and coverage disputes. As the digital and physical worlds become increasingly intertwined, the insurance industry must evolve accordingly.