05 March 2025

Bridging the Cyber Insurance Gap: Addressing Property Damage Risks in an Automated World

The growing risk

As the use of technology continues its rapid expansion across industries, so does the risk of cyber-attacks in areas previously deemed immune. Businesses are increasingly reliant on operational technology and automation to drive efficiency and productivity—but this dependence also introduces new vulnerabilities. With elements of automation being introduced into just about every aspect of even complex manufacturing processes, these areas are more vulnerable than ever to threats.

The following article explores the complex intersection of cyber insurance and property damage coverage, and how potentially critical gaps in coverage can be filled.

The background

Following two major ransomware incidents (NotPetya and WannaCry) almost 10 years ago, where global property insurers suffered nearly USD3 billion in losses from these cyber-events, global reinsurers and regulators mandated that all insurers take steps to reduce the unintended exposures caused by silent cyber coverage in their policies.

Lloyd’s of London, prompted by the Prudential Regulation Authority (PRA), decreed that from the 1st Jan 2020, all policies covering first-party property damage should either specifically include property damage cover as a result of a cyber-attack, or exclude it. This was then extended to liability policies and reinsurance treaties. As a result, most global insurers have adopted broad exclusions that can create significant coverage gaps for fire, explosion, and flooding caused by cyber incidents.

Case Study

- A hacker successfully infiltrated the computer systems of a German steel mill.

- Once the attackers navigated their way from the corporate to the plant network, they altered critical process components, resulting in a loss of control, and ultimately enormous physical damage to the individual control system components.

- This type of cyber-induced property damage loss would now be excluded under most traditional P&C insurance policies post-1st January 2020.

“Our clients across multiple different sectors are consistently telling us the lines between hardware and software are becoming more and more blurred; and with it, this exact area of risk continues to grow.”
Dominic Lion Executive Director, Gallagher Specialty

The coverage gaps

Traditional cyber insurance does not typically cover damage to physical property, bodily injury, or business revenue loss resulting from a cyber-induced physical damage event. At the same time, most P&C insurers have implemented exclusionary language that limits coverage for cyber-related physical risks. This leaves businesses vulnerable to substantial losses in the event of a cyber-attack that results in:

  • Fire, explosion, or flooding
  • Physical damage to operational technology
  • Business interruption caused by cyber-induced physical events
  • Bodily injury arising from cyber incidents

The solution

Businesses across sectors such as manufacturing, energy, mining, heavy industry, transportation, and hospitality are recognising their increased exposure to cyber threats. As a result, specialised cyber insurance solutions have been developed to address these coverage gaps.

These new and enhanced cyber policies, categorised under the Lloyd’s CZ risk code, provide three key coverage options:

Cyber Policy Coverage
High-Level Summary
Traditional Cyber coverage (non-physical triggers)
This section of cyber coverage will still provide the traditional cyber policy coverages: Breach response costs, Security and Privacy Liability, Privacy Regulatory Fines and Penalties (where insurable by law), Cyber Extortion costs and ransoms, and of course non-property damage Business Interruption
Property Damage & resulting Business Interruption
This policy area/option now operates as a buyback to exclusions on traditional property policies. These products secure simple carve-back cover for now definitively excluded cyber events resulting in property damage
Traditional Cyber coverage, Property Damage & resulting Business Interruption combined
Certain cyber products combine coverage for standard cyber liability (including coverages listed in row 1 above) with the physical damage element (row 2). These products provide coverage for Property Damage, Debris Removal, Bodily Injury and Business Interruption from cyber events otherwise excluded under traditional cyber programs.

Why Gallagher?

Navigating these complex coverage issues requires specialist expertise. Gallagher’s unique consultative approach ensures that clients understand their risks and make fully informed decisions about their coverage.

Through the expertise of Gallagher’s Global Complex Risks team, in collaboration with our specialist cyber division and consulting colleagues at AnotherDay, we develop tailored solutions to protect organisations from cyber risks that impact both digital and physical assets.

AnotherDay, a Gallagher company, is a specialist consultancy firm working with insurers on strategic risk advisory encompassing cyber threats, geopolitical intricacies and climate change implications. The AnotherDay team work in conjunction with Gallagher’s core insurance broking businesses as a complementary risk management and consulting service for clients.

Let's talk

Dominic Lion

Executive Director, Global Complex Risks

Dominic_Lion@ajg.com

Back to Home

Share on social

The Walbrook Building 25 Walbrook London, EC4N 8AW

Legal & Regulatory | Privacy Policy

Arthur J. Gallagher (UK) Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AW. Registered in England and Wales. Company Number: 119013.