Two hundred billion IoT devices could be in use by 2020, according to one estimate cited in the World Economic Forum’s recent report, Mitigating Risk in the Innovation Economy.  This rapid integration of the digital world and the physical world presents unprecedented opportunities for businesses in a wide array of industries.  But it also creates unprecedented risks.  Despite ongoing efforts to create security standards for IoT devices — for example, the National Institute of Standards and Technology’s recent draft paper to this end — the security of such devices currently remains wanting.  With the cyber and physical worlds so closely intertwined, future hacking incidents may threaten not only electronic data, but also property and lives.

Policyholders adopting IoT and related technologies may face uncertainty over coverage for these so-called “cyber-physical” harms under commonly available insurance policy forms.  Most cyber insurance policies have expressly excluded coverage for bodily injury and property damage, while standard-form general liability and property policies may have exclusions that some insurers invoke to dispute coverage for cyber-related harms.  In recent years, however, new insurance policies and endorsements have emerged to address this coverage uncertainty by giving policyholders options for explicit coverage for physical damage from cyber attacks.

As policyholders adopt technology that links their physical systems to digital components, they should consider what potential real-world harms could result from their cyber-networked things — and whether their existing lines of insurance cover them.  Such policyholders may conclude that it is time to explore the newer insurance products specifically geared towards cyber-physical risks.  Even these purpose-built policies and endorsements call for careful scrutiny and potential negotiation, however, because they are not standardized. Not only do policy wordings vary, but so do individual policyholders’ risk exposures. For example, a policyholder that may be an especially attractive target for state-sponsored hacking may need to pay particular attention to the wording of exclusions such as the common “war” and “terrorism” exclusions.  Guidance from experienced coverage counsel and sophisticated insurance brokers is useful, if not essential, for those exploring this relatively novel territory.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of John Buchanan John Buchanan

John Buchanan, senior counsel in Covington’s Washington office and the firm’s first Insurance Practice Group Coordinator, has represented policyholders in insurance coverage advocacy, dispute resolution and counseling for nearly four decades. His practice has ranged from the early DES and asbestos coverage…

John Buchanan, senior counsel in Covington’s Washington office and the firm’s first Insurance Practice Group Coordinator, has represented policyholders in insurance coverage advocacy, dispute resolution and counseling for nearly four decades. His practice has ranged from the early DES and asbestos coverage litigation to claims for some of the largest cyber losses in history. John has litigated, arbitrated or negotiated a wide variety of complex property and casualty insurance claims, from railroad derailment claims to satellite-in-orbit claims, and from silver-theft claims to cyber claims. The National Law Journal named him an Insurance Trailblazer in 2021, and Best Lawyers has twice named him Washington Insurance Lawyer of the Year. Chambers USA has also consistently recognized him in its national rankings for insurance coverage lawyers (currently as Senior Statesman, previously in Band 1), as have Best of the Best USA, Who’s Who Legal and other peer reviewed lawyer registries.

John became involved with emerging cyber-related coverage issues in the mid-1990s and co-authored one of the earliest treatise chapters on cyber insurance coverage in 2001. Starting with the network intrusion and payment card thefts discovered by TJX in 2006, he has represented policyholders pursuing claims for losses arising from data breaches reported to involve tens of millions of compromised records. John also regularly advises businesses in the management of their cyber and cyber-physical risks, such as those arising from products or services involving the Internet of Things (IoT)-, Artificial Intelligence (AI), Connected and Autonomous Vehicles (CAVs), and the Metaverse or “Web3.”

Photo of Dustin Cho Dustin Cho

Dustin Cho is an associate in the firm’s Washington office. He represents and assists clients in the media, entertainment, sports, and technology sectors in state and federal litigation, as well as in rulemaking and adjudicatory proceedings before the Federal Communications Commission. Mr. Cho…

Dustin Cho is an associate in the firm’s Washington office. He represents and assists clients in the media, entertainment, sports, and technology sectors in state and federal litigation, as well as in rulemaking and adjudicatory proceedings before the Federal Communications Commission. Mr. Cho regularly advises clients on policy and regulatory issues that affect the communications and technology industries.