Landlords face insurance pitfalls as buildings get smarter

Cyberattacks are one of the greatest threats facing buildings as they become connected and smart, but ensuring smart buildings are insured for cyber threats is also becoming increasingly difficult, writes James McHale.

The rising vulnerability of connected buildings is driving limited cyber-coverage, and some brokers have even withdrawn from the space altogether. There are some early signs of policy change but, on the current trajectory, this could create serious threats to the smart building industry.

Legitimate cover goes missing

It should be of little surprise that cyber insurance is becoming harder and more expensive to obtain. As our latest cyber security research argues, the loss ratio – the amount an insurer pays in claims as a percentage of premiums it collects – for cyber insurance rose dramatically in 2020 to 67.8% from 44.8% in 2019. Insurers are reacting by modifying their operation and redoubling their efforts to better assess and quantify their cyber risk.

Rising costs have even led to some major insurers withdrawing from the market for ransomware cover entirely, with global insurance provider AXA announcing in May 2021 that it would no longer cover ransomware payments in France, for example.

While cyberattacks have driven growth in the cyber insurance market – the sector grew 74% to $4.8bn in the US alone in 2021 – there are considerable coverage gaps. The US Accountability Office reported that the percentage of clients purchasing cyber coverage increased from 26% in 2016 to 47% in 2020, leaving plenty of companies without cover for cyber breaches.

On top of this, when it comes to policy renewals, most insurers are now tightening the language used in their standard property policies in relation to cyber events, including actively excluding cover for cyber breaches of digital systems and electronic data.

A large proportion of smart building owners and operators are essentially totally unaware that they have no legitimate insurance cover for their smart building systems and would be fully liable for all associated costs in the event of a cyber breach – truly a concerning state of affairs.

Building systems at risk

There has been a huge increase in the number of insurers that specifically exclude cyber events that affect digital building systems, such as HVAC, lighting, elevator, parking, and access control, from their policies. The latest policy from Allianz Engineering for construction and power, for example, explicitly excludes coverage for loss, damage, legal liability, additional expenditure or cost consisting of or in consequence of cyber events.

“Most of the industry is probably self-insuring and does not know it, while at the same time doing very little to mitigate the actual risks,” Rob Murchison, principal at Intelligent Buildings, told Memoori.

As cyber insurance from traditional policies becomes more difficult and costly for smart buildings, many are turning to standalone cyber insurance. On average, cyber insurance rates rose by 89% in the fourth quarter of 2021, according to Risk Strategies’ State of the Market 2022 Report. And, according to leading US insurer, Marsh, half of its US clients purchased standalone cyber insurance policies in 2021, almost double the 26% of clients in 2016. These trends are expected to continue into 2022, which is why insurers are putting a greater emphasis on risk management.

Standalone cyber liability insurance or data breach insurance policies are offered by several major providers, including Crum & Forster, AIG, and Chubb.

A cyber insurance policy may include assistance during a cyber incident; however, the levels of cover available may still only lead to a reduced set of operational technology risks, instead of blanket coverage of all costs resulting from a cyber incident.

While standalone cyber insurance policies that supplement the coverage and improve protection against cyberattacks for buildings are becoming available, the need to take out an additional policy to effectively cover the risks significantly adds to the cost.

A short-term solution

Standalone cyber insurance can only plug the coverage gap for so long. Until brokers fully understand the true scale of the attack surface in smart buildings, they will have no way to calculate risk accurately or price premiums fairly.

However, for those claiming insurance for cyber events, high-profile cases related to the NotPetya malware attacks in the build-up to the war in Ukraine have triggered landmark rulings that could provide hope in solving the cyber insurance problem for smart buildings.

In January 2022, biopharmaceutical company Merck won a $1.4bn legal dispute against its insurer for NotPetya attacks by suspected Russian sponsored hackers. After Merck’s insurer, Ace American, denied coverage for the NotPetya’s impacts based on an “acts of war” clause, Merck successfully sued them, arguing that cyberattacks are not an act of war.

Early signs of hope from Merck’s lawsuit are positive, but not enough to address the growing number of cyber-uninsured smart buildings in the world today. More should be done by buildings to improve cybersecurity, of course, but those that create adequate security should have the option of fairly priced insurance.

Cybersecurity breaches can easily be described as inevitable, which will always raise concern for insurance providers, but without reasonable cyber insurance options available, building owners may begin to reconsider their smart ambitions altogether.

James McHale is CEO of smart building consultancy Memoori.