Privacy & Information Security Law Blog

Hunton & Williams Insurance Litigation & Counseling partner Lon Berk reports:

Insurers often contend that traditional policies do not cover cyber risks, such as malware attacks and data breach events. They argue that these risks are not “physical risks” or “physical injury to tangible property.” A recent cyber attack involving ATMs, however, calls this line of reasoning into question.

The attack involved breaking open ATMs and inserting USB sticks containing a dynamic-link library (“DLL”) exploit. These types of attacks generally work by “tricking” a Windows application to load a malicious file with the same name as a required DLL . In this case, when the ATMs were rebooted they loaded the malicious code onto the machines. The perpetrators later entered a code into the ATMs that triggered the malware and enabled the withdrawal of all cash in the ATM.

These attacks demonstrate how a cyber risk can, in fact, be a risk of physical injury. To upload the malware, the attackers had to physically break open the ATMs to insert a foreign device (the USB stick), plainly causing a physical injury to tangible property. Indeed, injecting malware generally requires physical access to a device, whether over a wireless or wired network or through actual contact, and a physical rearrangement of memory. That said, the risk of physical injury associated with cyber crimes does not mean that policyholders should not buy appropriate cyber insurance. Insurers have incorporated exclusions in many traditional policies that may exclude coverage for damage caused by malicious code. But where those exclusions are limited, or absent, policyholders should check their traditional policies for coverage. Those polices may offer protection, even without a separate cyber insurance policy.