Editor's note: Authored by Dave Navetta, Robert Jacques and Paul Moura, this article was originally published in Law360.
Here's a scenario, which is probable in light of the increased frequency and sophistication of cyberattacks over the past year: On a Monday, production machinery throughout a facility of microchip maker XYZ Inc. suddenly halts. Equipment status terminals display a perplexing message: "PC LOAD LETTER." Seconds later, all computers and networks at the plant also cease to work. Operations at the plant resume only weeks later, after XYZ Inc. pays many millions of dollars to recover and determine that an external threat actor has compromised its network security. Due to the disruption to its supply chain and inability to meet numerous contracts, XYZ Inc.'s income decreases many millions of dollars as well. A stand-alone cyber insurance policy may not be XYZ Inc.'s only source of financial protection for this event, or the countless number of other significant cyber events reported in the news each year. As noted by countless industry authorities and regulators, traditional insurance lines may provide coverage, either as a result of explicit cyber enhancements or pursuant to the so-called silent cyber endemic, in which insurers have failed to properly identify and manage cyber coverages across their policy portfolios. These other coverages can provide a lifeline when stand-alone cyber coverage is unavailable. Among other types of policies that could apply, XYZ Inc. may be pleased to find that it can recover under equipment breakdown insurance, also known as boiler and machinery insurance. This article provides an overview of B&M insurance and explains how it may allow for first-party insurance recovery for losses from cyber events — serving as a reminder that policyholders should carefully consider all insurance coverages when they face such a loss. Overview of B&M Insurance Generally, policyholders pay a special premium to purchase B&M insurance as an endorsement to commercial property policies or on a stand-alone basis, with the purpose of filling potential coverage gaps in commercial property policies. The coverage insures various types of loss resulting from the accidental breakdown of covered equipment — including physical damage to the equipment and other property, income loss, and extra expenses such as repairing or replacing equipment. B&M policies should define what sorts of events constitute accidental breakdowns that trigger coverage and identify what assets qualify as covered equipment. Although these definitions vary by policy, the Insurance Services Office form for equipment breakdown protection coverage serves as a convenient benchmark. That form defines "covered equipment" to include equipment that operates under internal pressure or that is used in the generation, transmission or utilization of energy, and even specifically identifies communication equipment and computer equipment as covered equipment. In turn, the ISO form defines "breakdown" to include various types of mechanical or electrical failures. Some companies may at first wonder whether B&M coverage is right for them. Historically, B&M insurance is primarily understood to concern exposures related to heavy equipment and machinery, but the scope of coverage has been expanded over the years to reach accidents of regular office equipment such as computers and automated telephone systems. This coverage can be significant for policyholders because it insures a broad set of losses and expenses that may not be covered under a manufacturer's warranty or maintenance contract for the covered equipment. For certain businesses, moreover, such as manufacturers and distributors/retailers with large inventories of perishable goods, B&M insurance may be necessary to address substantial loss exposures related to the breakdown of necessary equipment and attendant interruptions to those companies' operations. Applicability of B&M Insurance to Cyber Losses Traditional B&M insurance shares many characteristics with modern cyber insurance offerings. Indeed, cyber insurance can be viewed as an offshoot of B&M insurance that developed more than a century ago, as both coverage lines were developed to address risk from novel, complex technologies and place paramount importance on loss control efforts. B&M perils, like cyber perils, are most effectively addressed through loss control measures that prevent a loss from occurring in the first place. In both the traditional B&M and cyber realms, a loss may be prevented or controlled with personnel training, regular maintenance and inspections to detect and correct hazards before a loss event occurs. Loss control efforts are so significant that they are often included as an essential part of carriers' offerings — whether B&M or cyber insurance — with carrier-hired experts advising insureds on exposures and corrective/preventative measures to address risks. As noted, the current ISO equipment breakdown coverage form makes specific reference to coverage for computer assets. But the form also purports to limit coverage. Specifically, the form's definition of a covered breakdown purports not to include certain "defects, erasures, errors, limitations or viruses in computer equipment and programs," while defining "computer equipment" to include "programmable electronic equipment that is used to store, retrieve and process data" but not data or electronic data processing or storage media. The form also explicitly states that it covers the cost of researching, replacing and restoring lost or corrupted data used in computer equipment, in order to bring the equipment back in working order. Despite potential limitations to cyber-related coverage in the ISO B&M form, coverage may be available, and necessarily turns on, the facts of a given scenario. Indeed, that analysis — to apply policy wordings to the specific facts at issue — is critical in the context of cyber perils, which are complex and constantly evolving. In addition, it is worth emphasizing that there are various types of B&M insurance policies in the market — some dating back many decades. Many of those policies lack explicit reference to information technology assets or cyber exposures but still provide coverage for cyber perils due to broadly worded coverage grants. Again, coverage for a claim will depend largely on the specific policy wording, fact pattern and governing body of law. B&M Coverage as Excepted From Certain Exclusions In addition, even for policies that include exclusions that purport to negate certain forms of cyber coverage, B&M coverage may provide a substantial write-back that allows policyholders to tap coverage for cyber events. For example, since at least 2001, certain insurers have used a so-called electronic data endorsement, which purports to exclude certain forms of loss for certain types of data events. That exclusionary wording, however, contains an explicit carveout for loss associated with perils that are listed in the endorsement. Thus, for example, if a data event causes a fire or explosion — the two standard listed perils in electronic data endorsement wordings — then there is full coverage for that loss, despite the exclusionary language in the endorsement that might otherwise apply to a given loss event. Significantly, carriers over the years have supplemented the set of listed perils in the electronic data endorsements to include B&M perils, among other types of causes of loss. In doing so, those carriers are agreeing to insure a whole host of losses that can be characterized as B&M or equipment breakdown events, including the breakdown of computer equipment resulting from computer viruses and other cyber-related events. Conclusion — Looking Beyond Stand-Alone Cyber Insurance The B&M example serves as a reminder that stand-alone cyber insurance policies are not the only way to recover amounts on cyber-related losses. Policyholders should carefully analyze all potentially applicable insurance policies, including property and B&M coverages. Other types of insurance, including general liability, directors' and officers' liability, errors and omissions, crime, and kidnap and ransom, may also provide relief for cyber-related losses.