A recent event that received surprisingly little media attention serves as a reminder of a lurking cyber risk that is different in kind and scale than more widely and frequently reported privacy-related data breaches.

Between July 29 and September 14, 2016, a series of fires and explosions occurred at petrochemical plants and pipelines in Iran. Although Iranian government officials initially denied that the fires were caused by a cyber attack, they later acknowledged that Iran's petrochemical industry has been the target of cyber attacks, and the head of a cyber security firm specializing in protecting industrial systems stated that he was "100 percent" sure that the fires were the result of hacking.

Unlike more common data breaches, which result in disclosure of private information to an unauthorized third party, these cyber attacks were simply intended to cause damage more like large-scale vandalism. Costs associated with data breaches are generally covered under cyber insurance. But what about a cyber attack that causes physical damage and business interruption on a catastrophic scale? That is not the type of loss ordinarily covered by most cyber insurance policies. Such losses may, however, be covered under the broad language of a company's traditional property policies.

The growth of cyber insurance

Over the past decade, privacy-related data breaches have become more frequent. When early data breaches were reported, such as TJX/TJ Maxx in 2007, they were a relatively unknown and anomalous phenomenon. Today, nearly every big business has experienced either an actual or attempted data breach. Typical costs associated with these data breaches include detection, investigation, notification, crisis management, legal defense, identity protection services, product discounts, and a host of other direct and indirect costs. According to a leading industry report, the average total cost to a U.S. company of a data breach in 2014 was $6.5 million.