Who says the digital world and the physical one are separate?
On Wednesday, AIG announced it's expanding cyber insurance offering to cover property damage and bodily injury. It's a watershed moment. A major insurer is saying the virtual and corporeal are now, in some cases, one and the same.
In a statement, AIG ( acknowledged the closing gap. )
"Cyber risk goes well beyond data privacy concerns covered by stand-alone cyber insurance offerings prevalent in the market," said Tracie Grella, who leads AIG's professional liability division. "The physical risk of a cyber attack or cyber event to property and people is very real."
Researchers have accessed control systems for heart rate monitors, traffic lights, home security apps, swimming pool acid tanks and gondola rides -- none of which had security protocols of any kind built in. Imagine the damage that could be done if the wrong people tinkered with those systems.
The nation's critical infrastructure of utilities -- power plants, water treatment centers, dams, etc. -- runs on cyber platforms. Much of it is Internet-accessible.
The best proof that cyber hacks lead to physical damage actually comes from a U.S. offensive. The United States famously dealt a serious setback to Iran's nuclear ambitions with a cyberattack called Stuxnet that made many of the nation's centrifuges spin out of control.
In another case, Iran is believed to have attacked Saudi Oil company Aramco in 2012, ruining 30,000 computers. The company had to trash three-quarters of their PCs.
The repercussions of a cyber-to-physical hack could be fatal. A dam told to ignore pressure readings could burst. A power plant taken offline could pull the plug on hospitals.
And on a personal level, consider how our cars are essentially computers at this point. The average car has 50 or more microprocessors inside of it. And recent research has shown they're just as hackable as our PCs. If something goes wrong on the highway, it's not like a malfunctioning app you just close. Your life is at risk.
Cybersecurity insurance is a relatively new phenomenon. It's a hedge against getting hacked, which is now seen as an inevitability.
Companies are starting to add cybersecurity insurance to their policies. Most have already bought it or will soon, according to a Ponemon Institute report last year. A survey discovered 31% of companies have a policy, and another 39% are planning to get one. The practice is getting so much attention even the Department of Homeland Security is weighing in.
It makes sense to insure against data breaches, because the cost of those incidents is increasing. Between 2011 and 2012, Ponemon saw the average cost of a data breach in the United States rise from $188 per-person to $194. If a massive database with thousands of names gets lost, that quickly gets multiplied.
The damage in all those cases is monetary: thieves make fraudulent purchases, customer financial data is exposed and credit cards must be reissued. Target told senators it's investing $100 million to upgrade to a more advanced credit card system to avoid a repeat of last year's debacle.
But physical damage is seen as the next big liability. AIG didn't come up with this idea on its own. The company said it's responding to concerns from power plants, oil companies and hospitals.