Property Risk

Cyberattacks Reach the Physical Realm

Underwriters and risk managers are beginning to get their arms around the next wave of cyber exposure — an attack that causes property or bodily damage.
By: | July 27, 2017 • 7 min read

When the Baku-Tbilisi-Ceyhan pipeline exploded in 2008 in eastern Turkey, it damaged the pipeline in Refahiye, spewed oil into the environment and posed physical harm to firefighters called in to quell the flames.

Cyber attackers apparently hacked into the pipeline’s control system and manipulated valves to increase pressure inside the pipe, while suppressing alarms that would have alerted operators to an error.


In 2014, an unnamed steel mill in Germany sustained extensive damage after hackers breached the plant’s computer network via a spear phishing email, then infiltrated industrial systems that control operational machinery.  The attack compromised the system so that a blast furnace could not be shut down.

In another well-known incident the year before, the Stuxnet computer virus engineered by U.S. and Israeli forces damaged thousands of centrifuges at an Iranian nuclear power plant, again compromising system controls while making it appear everything was working normally. The virus was introduced through an employee’s thumb drive.

These are only a few examples of cyberattacks that caused physical property damage and potential bodily injury.

“The breaches and cyberattacks we see in the news are usually around the theft of personally identifiable information,” said Tracie Grella, global head of cyber risk insurance at AIG.

“We’ve seen ransomware events, DOS attacks. The data disclosure and business downtime are usually the results of a network breach. But the potential for extensive physical damage is an emerging risk.”

As cyber risk rapidly evolves, the insurance industry is working hard to keep up. However, gray areas remain and there are unanswered questions about how to underwrite and mitigate such a dynamic risk.

Loss Scenarios

“Five to 10 years ago, cyberattacks were motivated primarily by financial gain and access to confidential data,” said Chris O’Byrne, cyber underwriting specialist at FM Global. “This has evolved into more attacks focused on causing business disruption, and others where the goal is physical damage.”

Tracie Grella, global head of cyber risk insurance, AIG

Though every type and size of company is susceptible to a cyberattack, those with industrial-control systems (ICS), such as manufacturers and energy suppliers, may be most vulnerable to an attack intended to cause physical damage. Industrial-control systems are comprised of many components relying on communication between separate computer networks. The less cohesive a system is, the more opportunities arise for hackers to find a way in.

“We’re seeing more reports of malware being written specifically to target these systems,” O’Byrne said.

“Companies first think to look at their GL or property policies for coverage … but these policies really were not designed to respond to cyberattacks.” — Tracie Grella, global head of cyber risk insurance, AIG

“The intent may not be to expressly cause physical damage, but that could certainly be a result.”

The physical damage that could result from an attack on ICS varies. It could be a fire that destroys equipment or a whole facility; it could be the simple wearing down and corrosion of machinery; it could involve environmental damage, or damage to any goods being produced.

“Hackers can spoof sensors by sending false data. They can force cyclical behaviors, like turning something on and off in rapid cycles, which causes machinery to wear out, fuses to be blown, leaking, and in some cases explosion and fire,” said Tom Harvey, product manager of cyber solutions at RMS, the risk modeling firm.

“It could be something as simple as disconnecting safety features,” he said. “Everything would be operating as it should, but there’s the increased risk for bodily injury.”

Spoofing sensors also can cause damaged goods, without harming any machinery or equipment. In a refrigerated truck, for example, hackers would feed sensors false data so they continually record a temperature of 0 degrees, even if it’s 70 inside the truck. An entire shipment of frozen goods would be ruined by the time it reaches its destination.

“It’s not that the refrigeration equipment was broken; it’s that the sensors were fed the wrong information, and no one had any indication that it was false,” said Robert Parisi, cyber product leader at Marsh. “These losses will not fall into the simple buckets in which the insurance community likes to put things.”

The scope of potential losses leaves risk managers wondering what insurance policy, if any, will cover the damage.

Looking for Cover

“The question in insurance becomes: where is that covered?” Grella said.


The industry has no uniform way to address these losses. Cyber coverage typically excludes physical loss. Property or general liability policies likely cover property damage, even if the underlying trigger was a cyber event. Companies also might find coverage in crime or fidelity policies, if the breach was perpetrated by an employee.

“Companies first think to look at their GL or property policies for coverage, and they may find it there, but these policies really were not designed to respond to cyberattacks,” Grella said.

“Finding silent coverage is not really where insurers or insureds want to be. Clients want to know what they’re buying and what’s covered, and carriers want to know exactly what they’re covering.”

Coverage for cyber-triggered physical losses could extend in two directions. Carriers could begin offering affirmative coverage for cyber events in property policies, or cyber policies could expand to include property damage and bodily injury, not just loss of data, business interruption and other non-physical losses.

Tom Harvey, product manager of cyber solutions, RMS

“Market conditions will dictate that evolution to some degree,” Harvey of RMS said. “At the moment, the property market is very soft, which drives underwriters to try to win more business, which means they’ll be more generous with their cyber coverages. On the other hand, regulators want to ensure underwriting is done properly, with adequate controls in place, which could push property underwriters to move away from cyber endorsements.”

Property and cyber underwriters need to work together to ensure they are managing the risk appropriately. Marsh’s Parisi said some cyber insurers have offered to cover physical loss only if the insured’s property policy does not respond. This shows the industry is recognizing the widening coverage gaps.

“Cyber policies expanding to take in this exposure is the cleanest way to do it,” he said. “We are seeing greater flexibility on the part of the cyber market to adapt to changing loss scenarios that don’t have actuarial data behind them or underwriting standards.”

AIG, Marsh and FM Global are among insurers and brokers offering expanded cyber products designed to affirmatively cover physical harm.

“We’re starting to get more inquiries about our coverage and how it intersects with other cyber policies,” FM Global’s O’Byrne said. “What clients really want is contract certainty.”

Risk Mitigation

RMS has spent the past year modeling the severity of physical losses triggered by a cyberattack, but nailing down the frequency remains a challenge.

“We have developed models to confidently help insurers assess what the severity of cyber-physical events might be,” Harvey said. “RMS are continuing to explore methods of assessing the probability of these rare events as we know both the frequency and severity are critical components of quantifying the risk.”

With cyber risks evolving and uncertainties in the type and scope of losses and coverage gaps, the best approach risk managers can take is to treat cyber like any other operational risk and apply enterprise risk management.

“The best companies approach cyber risk the same way they do currency risk, or political unrest, or weather risk — like any other standard risk,” Parisi said. “Tech-based risks are really no different that any other risk and you need to manage them through the normal risk management channels. Make sure that technology risk is part of the ERM discussion.”

“If you are targeted by a sophisticated group of hackers, they will find a way in. You have to make sure you’re properly covered.” —Tom Harvey, product manager, cyber solutions, RMS

Cross-functional teams including risk management, IT, operations and security should work with senior executives to assess the scope of cyber risk and develop a multi-pronged strategy, O’Byrne said.


“Buying the newest, shiniest piece of technology won’t necessarily solve your exposure. Assuming that the IT guys will somehow fix it ignores the fact that technology has crept into everything that we do. It’s an active risk to be managed, not a problem to be solved,” he said.

Patching cyber vulnerabilities in industrial-control systems, and separating critical control systems from business networks and other non-critical functions can make it harder for hackers to access machinery and production controls.

Risk managers also should conduct gap analyses to determine if and where they have coverage for physical damage from a cyberattack.

“Your broker or a third-party vendor can provide this service,” Grella of AIG said. “You want to make sure you have a primary policy that provides coverage for physical damage from cyber on an affirmative basis.”

Given the near impossibility of gauging and defending against all cyber exposures as the risk takes on new forms, closing coverage gaps will be the most critical risk management technique.

“If you are targeted by a sophisticated group of hackers, they will find a way in,” Harvey said. “You have to make sure you’re properly covered.” &

Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]

More from Risk & Insurance

More from Risk & Insurance

Risk Management

The Profession

Janet Sheiner, VP of risk management and real estate at AMN Healthcare Services Inc., sees innovation as an answer to fast-evolving and emerging risks.
By: | March 5, 2018 • 4 min read

R&I: What was your first job?

As a kid, bagging groceries. My first job out of school, part-time temp secretary.

R&I: How did you come to work in risk management?

Risk management picks you; you don’t necessarily pick it. I came into it from a regulatory compliance angle. There’s a natural evolution because a lot of your compliance activities also have the effect of managing your risk.

R&I: What is the risk management community doing right?


There’s much benefit to grounding strategic planning in an ERM framework. That’s a great innovation in the industry, to have more emphasis on ERM. I also think that risk management thought leaders are casting themselves more as enablers of business, not deterrents, a move in the right direction.

R&I: What could the risk management community be doing a better job of?

Justified or not, risk management functions are often viewed as the “Department of No.” We’ve worked hard to cultivate a reputation as the “Department of Maybe,” so partners across the organization see us as business enablers. That reputation has meant entertaining some pretty crazy ideas, but our willingness to try and find a way to “yes” tempered with good risk management has made all the difference.

Janet Sheiner, VP, Risk Management & Real Estate, AMN Healthcare Services Inc.

R&I: What was the best location and year for the RIMS conference and why?

San Diego, of course!  America’s Finest City has the infrastructure, Convention Center, hotels, airport and public transportation — plus you can’t beat our great weather! The restaurant scene is great, not to mention those beautiful coastal views.

R&I: What’s been the biggest change in the risk management and insurance industry since you’ve been in it?

The emergence of risk management as a distinct profession, with four-year degree programs and specific academic curriculum. Now I have people on my team who say their goal is to be a risk manager. I said before that risk management picks you, but we’re getting to a point where people pick it.

R&I: What emerging commercial risk most concerns you?


The commercial insurance market’s ability to innovate to meet customer demand. Businesses need to innovate to stay relevant, and the commercial market needs to innovate with us.  Carriers have to be willing to take on more risk and potentially take a loss to meet the unique and evolving risks companies are facing.

R&I: Of which insurance carrier do you have the highest opinion?

Beazley. They have been an outstanding partner to AMN. They are responsive, flexible and reasonable.  They have evolved with us. They have an appreciation for risk management practices we’ve organically woven into our business, and by extension, this makes them more comfortable with taking on new risks with us.

R&I: Are you optimistic or pessimistic about the U.S. health care industry and why?

I am very optimistic about the health care industry. We have an aging population with burgeoning health care needs, coupled with a decreasing supply of health care providers — that means we have to get smarter about how we manage health care. There’s a lot of opportunity for thought leaders to fill that gap.

R&I: Who is your mentor and why?

Professionally, AMN Healthcare General Counsel, Denise Jackson, has enabled me to do the best work I’ve ever done, and better than I thought I could do.  Personally, my husband Andrew, a second-grade teacher, who has a way of putting things into a human perspective.

R&I: What have you accomplished that you are proudest of?

In my early 20s, I set a goal for the “corner office.” I achieved that when I became vice president.  I received a ‘Values in Practice’ award for trust at AMN. The nomination came from team members I work with every day, and I was incredibly humbled and honored.

R&I: What is your favorite book or movie?

The noir genre, so anything by Raymond Chandler in books. For movies,  “Double Indemnity,” the 1944 Billy Wilder classic, with insurance at the heart of it!

R&I: What is your favorite drink?


Clean water. Check out for how to help people enjoy clean, safe water.

R&I: What’s the best restaurant at which you’ve eaten?

Liqun Roast Duck Restaurant in Beijing.

R&I: What is the most unusual/interesting place you have ever visited?

China. See favorite restaurant above. This restaurant had been open for 100 years in that location. It didn’t exactly have an “A” rating, and it was probably not a place most risk managers would go to.

R&I: What is the riskiest activity you ever engaged in?

Eating that duck at Liqun!

R&I: If the world has a modern hero, who is it and why?

Dr. Seuss who, in response to a 1954 report in Life magazine, worked to reduce illiteracy among school children by making children’s books more interesting. His work continues to educate and entertain children worldwide.

R&I: What do your friends and family think you do?

They’re not really sure!

Katie Dwyer is an associate editor at Risk & Insurance®. She can be reached at [email protected]