The risk of a cyber attack being carried out on critical infrastructure is a real one, with losses extending to business interruption, property damage and personal injury. Around the world we have already seen examples of such cyber attacks, involving a power plant in Ukraine, a uranium enrichment plant in Iran and, closer to home, a waste management system in Queensland.
Yet insureds and insurers may be surprised to learn that Australian terrorism insurance laws do not currently protect their interests in the event of a cyber-terrorist attack in the same way they do following a purely physical terrorist attack. This is because policies that provide cover for “computer crime” losses are specifically excluded from the operation of terrorism insurance laws.
As highlighted by the Australian Reinsurance Pool Corporation (ARPC) in a recent discussion paper, this creates a coverage gap which should be of significant concern for many Australian organisations, particularly those which expect cover to be available for disruption of operations and destruction to physical property following a terrorist attack. Insurers, to the extent they may provide cover, should also be concerned as reinsurance would not be available through the ARPC.
Australian Terrorism Insurance Laws
The Terrorism Insurance Act 2003 and its regulations operate to prevent insurers from denying cover for eligible terrorism losses following a terrorist attack. The Act does this by striking out terrorism exclusions in eligible insurance contracts once a terrorist attack has been declared.
Broadly speaking, ‘eligible insurance contracts’ are limited to those policies which provide cover for:
- loss or damage to eligible property and its contents (which generally means commercial property);
- business interruption and consequential loss arising from loss or damage to eligible property; and
- liability of the insured as owner or occupier of eligible property.
In this way, the Terrorism Insurance Act ensures that insureds have the benefit of their commercial property, business interruption and public liability policies following a terrorist attack.
To protect the interests of insurers prevented from relying on terrorism exclusions, the Terrorism Insurance Act establishes a corresponding reinsurance scheme through which insurers can reinsure the risk of eligible claims for terrorism losses, which is administered by the ARPC.
Regulation 32 – Coverage Gap
At issue is regulation 32 of the Terrorism Insurance Regulations which provides that insurance policies are not considered ‘eligible insurance contracts’:
to the extent that [they provide] cover for loss arising from computer crime.
This means that should a terrorist cyber-attack be deemed a ‘computer crime’ (which is likely), relevant terrorism exclusions will not be voided by the operation of the Terrorism Insurance Act and will remain in place, despite the event being declared a terrorist attack.
The ARPC is currently considering this important issue. In the meantime, both insurers and insureds should consider whether their policies will respond as anticipated and address coverage gaps as best they can. However, these gaps may not be fully addressed without legislative change.
This blog is a snapshot of a longer article recently published in the Australian Insurance Law Bulletin. See: Tricia Hobson, Ray Giblett and Reece Corbett-Wilkins, ‘Terrorism related property damage and business interruption losses: is cover lost in cyberspace?’ (2016) 32(2-3) Insurance Law Bulletin 23. Contact us if you would like a copy.