Cyberterrorism insurance complicated

By Jonathan L. Schwartz and Thomas D. DeMatteo

It is a scary thought that hackers can now remotely gain control of our vehicles. The Central Intelligence Agency is talking about this scenario.


In summer 2015, security researchers Charlie Miller and Chris Vasalek first demonstrated they could take control of a Jeep Cherokee. They did it again in 2016.

They have proven capable of disabling a car’s transmission and brakes, taking over its steering wheel and adjusting its cruise control settings.

What we now know is the more technologically sophisticated our vehicles become, especially with increasingly automated functions, the more prone they become to outside interference. From onboard diagnostics to Bluetooth modules to embedded Internet modems to Wi-Fi Internet routers to USB device ports to high-definition radio to near-field communication devices, modern vehicles have myriad vulnerabilities to hackers.

The recent movie “The Fate of the Furious” accurately predicted the future with terrorists capable of overwhelming manual control of our vehicles and potentially causing great harm. This risk should be of particular concern to commercial vehicle operators and rental agencies.

Insurance available through the federal Terrorism Risk Insurance Act (TRIA) and its successor, the Terrorism Risk Insurance Program Reauthorization Act, and sold as part of a standard liability insurance policy is one option. Although, to qualify for such coverage, the Secretary of Treasury, along with the Department of Homeland Security and the U.S. Attorney General, have to certify the incident as an act of terrorism.

Perhaps surprisingly and unfortunately for those having availed themselves of this TRIA coverage, the Treasury has never certified an attack as an act of terrorism. That includes the Boston Marathon bombings, even though President Obama used the term “terrorism” in a speech.

To otherwise qualify for TRIA coverage, the loss must exceed $100 million in damage.  Suffice it to say, a hacker’s hijacking of a commercial vehicle with the intent to cause harm at a stadium or shopping mall, for instance, should result in such great destruction that the extent of the loss should exceed that threshold.

There also is a private marketplace for stand-alone terrorism coverage. The coverage available typically focuses, however, on property coverage rather than liability coverage.  No matter the terrorism coverage, if the hacked or hijacked vehicle is used to deliver a nuclear, biological, chemical or radiological weapon, the loss will not be covered, as such losses are generally uninsurable.

What still might be available to commercial vehicle operators and rental agencies is protection through a stand-alone cyberinsurance policy. But, unlike commercial auto coverage, the wordings of cyberinsurance policies can vary greatly. There is no “off-the-rack” cyberinsurance policy.

As part of the variance among cyberinsurance carriers, some cyberinsurance policies now afford coverage for “bodily injury” and “property damage” caused by cyberterrorism.  Nonetheless, the available limits for such policies probably will be inadequate given the potential harm from a terrorist hijacking a bus and using it to cause destruction. Plus, the premiums for cyberinsurance for commercial vehicle operators and rental agencies, which includes “bodily injury” and “property damage” coverage, can be very expensive.

These cyberinsurance policies also may exclude non-certified acts of terrorism, which returns policyholders to the problem they face initially with their standard lines insurance products. The policy’s cyberterrorism coverage may otherwise be conditioned upon extortion, the terrorism not being state-sponsored, or the incident being better classified as an act of “war” or “warlike action.”

Ultimately, before considering this coverage, policyholders should consult with an insurance broker and coverage counsel who are knowledgeable of cyberinsurance policies. We expect they can steer your company toward an insurance solution suitable for its needs.

Jonathan L. Schwartz is chair of the Cyber-Risk Coverage Group at Goldberg Segalla, LLP. Thomas D. DeMatteo is chief legal officer of ABC Bus Companies.

Share this post