Today’s cyber attack (still working it’s way through networks, at the time of this post) on the UK’s NHS has resulted in many hospitals and doctors’ offices remaining closed, as they cannot access the networks and IT systems they rely upon to provide care. This will undoubtedly result in patient injuries (being exacerbated and causing further harm) and possibly death. BBC reporters have cited sources saying:
“Absolute carnage in the NHS today. Two Hyperacute stroke centres (the field I work in) in London have closed as of this afternoon. Patients will almost certainly suffer and die because of this.
“Had a patient that needed urgent neurosurgery referred, but unable to look at scans – stroke care is absolutely dependent on IT systems and joined up systems.”
This type of attack appears to be ransomware related to the NSA’s leaked toolkit from last month’s breach. While ransomware is a growing nuisance, many companies have yet to protect themselves from these types of hackings. Even still, even the best IT security standards can be penetrated by smart cyber criminals using social engineering. Further, most companies have still yet to include cyber insurance in their portfolio of risk management policies.
So, will a cyber attack resulting in bodily injury caused by ransomware or social engineering be covered by cyber insurance? The devil is in the details, unfortunately. Many cyber policies do not cover ransomeware or claims generated from social engineering incidents. Other policies, like Crime and General Liability, may offer minimal coverage at best, but most have been written to exclude cyber-caused incidents. To further complicate the situation, bodily injury (which is typically covered by General Liability) is often excluded explicitly under cyber policies.
The solution is to make sure you buy the right cyber insurance policy to begin with. If you have an exposure to bodily injury, make certain you have placed coverage with a carrier that offers this on their cyber policies (there are a few). Your broker can also make sure the cyber policy “dovetails” with your General Liability policy to ensure that you’re not duplicating coverage, but you’re also covering the gaps as well.
Find a broker that knows how to 1) access your cyber risk to determine what coverage is necessary and 2) design a program that addresses your cyber risks. As a bonus, most cyber insurance policies include a variety of risk management services, like breach coaches and access to cyber professionals to help you – if and when you get hit with an attack.