Cyberattacks and Environmental Risk

Insurance Professionals: Take Note

• If you sell cyber insurance, ensure pollution losses from cyberattacks are covered.
• Failing to do so may leave your client relying solely on your Errors & Omissions (E&O) coverage.

• Hackers target digital systems across industries.  Hackers can impact the operation, control, performance, navigation, warning systems…, of watercraft, trains, aircraft, road vehicles, dam operations, manufacturing, HVAC, plumbing, electric, security systems, basically anything that depends upon computers can be the target of hackers.
• In the environmental sector, cyberattacks have disrupted dam operations, HVAC, manufacturing, plumbing, and security systems—anything reliant on computers is vulnerable.

Real-World Example: Wastewater Treatment Plant

• A cyberattack caused 300,000 gallons of raw sewage to spill into a river and flood nearby businesses.
• Hackers manipulated equipment to run unsafely, creating pollution liabilities and threatening human and environmental health.

Cyber Insurance Gaps

• Most cyber insurance policies exclude pollution liabilities caused by cyberattacks.
• This leaves businesses exposed to significant financial and legal risks.
• Businesses susceptible to hackers need to have an environmental financial assurance plan to address pollution liabilities caused by hackers?  Financial assurance can be in the form of a letter of credit, bond, monies in escrow, captive, or pollution insurance.

Pollution Insurance as a Solution

• Pollution insurance fills coverage gaps left by cyber policies.
• It is a cost-effective financial assurance tool—often costing “fractions of a cent” on the dollar.
• Coverage includes:
  • First-party cleanup
  • First party business income
  • Third-party bodily injury and property damage & Business income
  • Emergency response cost
  • Reputational risk
  • Transportation pollution liability
  • Legal fees and investigation costs…

Policy Language Matters

• Some environmental insurance carriers define pollution incidents to include those resulting directly from a cyberattack, ensuring coverage is explicit.
•  As an example, one environmental insurance carriers’ definition of a “Pollution Incident” includes the following wording:  the discharge, dispersal, release, seepage or escape of any pollutant into or upon land, or any structure on land, the atmosphere or any watercourse or body of water, including groundwater, that results directly from a cyberattack.