While U.S. businesses have certainly increased focus on preventing and responding to on premise terrorist attacks, they may be unknowingly leaving themselves vulnerable to cyberterrorism. According to The Global Risks Report 2016, cyber-attacks are predicted to be the number one tech-risk likely to occur in the United States. Additionally, terrorism is one of the top three risk concerns for companies doing business in the U.S. However, defining cyberterrorism can be very difficult. For example, the legal definition for terrorism involving a cyber-attack is much more specific compared to the definition of cyberterrorism under a cyber insurance policy. Matthew McCabe, senior vice president of Marsh’s Cyber Practice, explained that “Under U.S. law, generally speaking, there are three major elements to a terrorist’s act. First, it’s an act that is violent or potentially jeopardizes human life. Second, the act will violate criminal law in the United States…and third, the act is motivated by some ideological basis.”
In fact, a hacker from Kosovo was charged in June of this year for accessing personal identifiable information (PII) for more than a thousand service members and federal employees in 2015. The hacker, known as Th3Dir3ctorY, was charged with 25 years in prison after releasing the information to ISIS, making him the first hacker prosecuted for terrorism charges.
What defines cyberterrorism in the insurance industry can vary significantly as there is a much broader standard. For example, the Syrian Electronic Army has been known to deface websites and media outlets in the U.S., UK and France in support of the Syrian government. While their attacks are neither violent nor deadly, they could easily be considered an act of cyberterrorism under a cyber insurance policy.
According to McCabe, “cyber terrorism causes and cyber insurance policies are meant to clarify that a broad range of events will be covered regardless of motive or ideological purpose. A motive on why a hacker targeted a company should be completely irrelevant to your coverage. The more crucial point for insurers is the…application of the war exclusion should depend on who conducted the attack and the severity of the attack. Potentially, a cyber terrorism cause can be used to narrow that exclusion.”