Features Editor
Certain Insurance Coverages May Not Protect Fleets Against Cyberattack Losses, Experts Warn
The cyberattack that befell FedEx Corp.’s TNT Express unit earlier this summer highlights an ever-increasing risk that many trucking fleets are up against — and which may not be insured under the typical coverages they carry, insurance industry experts say.
Never was this clearer than in the June cyberattack that hit TNT, a European parcel carrier that FedEx has owned since last year. TNT fell victim to the so-called “Petya” attack, which FedEx said involved the spread of an information technology virus through a tax software product in Ukraine, one place where TNT operates. And the company, by FedEx’s admission, was unprotected.
“We do not have cyber or other insurance in place that covers this attack,” FedEx said in a statement July 17. “We are still evaluating the financial impact of the attack, but it is likely that it will be material.”
As it turns out, FedEx is not alone, said Dan Cook, principal and practice leader at insurance broker TrueNorth Cos., adding that most fleets carry standard coverages to include auto liability, general liability, cargo, crime and workers’ compensation. “Some may also secure crime coverage, to include computer fraud and funds transfer coverage,” he said, but he added that these coverages generally are not intended to provide defense costs and/or indemnity payments if a cyberbreach or malware attack occurs.
Born
In a malware or ransomware attack, the goal of a hacker is to shut down a motor carrier’s operating system to extort a payment either to turn the system back on or to prevent the hacker from releasing any personally identifiable information on employees, drivers or clients, Cook said. “This is essentially what was attempted at FedEx-TNT.”
Cyberattacks also are not covered under traditional business interruption insurance in property policies, said Michael Born, vice president and account executive in the cybertechnology practice at insurance broker Lockton Cos.
Business interruption insurance covers specific perils such as wind, fire, tornadoes and floods — perils that would physically affect a company’s operations, Born said.
Lopilato
Michelle Lopilato, director of cyber and technology solutions at insurance broker Hub International, said that the rise and success of ransomware such as Petya “has provided malicious actors the ability to monetize data that is not protected, sensitive and confidential.”
For trucking companies, many of which are relying more and more on their computer systems to manage the transportation of goods, the data could include information on where a driver must go to pick up the next load. That is a risk not only to the carrier’s business but to the shipper’s business as well, Born noted. “Every company that has a computer system has cyberexposure,” he said.
One fleet executive, however, said he doesn’t see the value in buying cybercoverage because this type of risk at his fleet is very low.
“Cybersecurity is different,” said James Burg, president and CEO of James Burg Trucking Co., noting that such coverage is for when somebody breaks into a system to steal another person’s information. “We don’t do e-commerce, so we don’t keep anybody’s information.”
Fleets Need Security Peace of Mind
Other fleets may need the coverage because they may have sensitive information about their customers and drivers on their servers that could be hacked, said Burg, who also is chairman of American Trucking Associations’ Insurance Task Force.
But he does not have coverage for someone stealing his employees’ files “because I don’t keep it on my server. It’s not there for them to find. They can’t get through my server into a filing cabinet.”
Burg said he does have business interruption coverage and that cyberinsurance hasn’t been raised as an agenda item on the task force.
Cyberinsurance is a growing area of focus for some insurers, Born said, noting it’s among the newer types of coverage.
Policies for cyberbreach and ransomware or malware attacks “continue to evolve, and they are significantly better than even policies of 18 months ago,” Cook said. If fleets are relying on an older policy form, for example, “they are likely not covered for cyberextortion or many of the new cybercrime coverages needed.”
Sean Donahue, assistant vice president and underwriter at XL Catlin, a top writer of cyberinsurance, said that XL Catlin created a stand-alone product for “specific cyber-related incidents and coverages.” It provides business interruption insurance related to a hacking event, he said, noting the catalyst for coverage would be “malicious software.”
XL’s cyberinsurance policy provides coverage for data protection and privacy risks, both for third-party claims and first-party mitigation costs after a technology or cyberevent, Donahue said.
With Cyberpolicies, One Size Does Not Fit All
Cyberpolicies tend to have various insuring agreements. Business interruption due to a hacking event is part of an insuring agreement under XL’s cyberpolicy as a whole, Donahue said. These agreements also offer coverage for data restoration, cyberextortion and crisis management, such as a company’s public relations efforts after a cyberattack, he said.
Lopilato said many fleets should be concerned about cyberrisk losses because they rely on logistics networks to ensure management of their supply chain.
“Hacking, malicious software, ransomware and even system failures can target and affect the logistics network and cause a disruption to business operations, resulting in a loss of income, extra expenses paid to get the logistics network up and running again and costs associated with additional time to restore, recollect or re-create lost, stolen or corrupted data assets,” she said.
However, cybercoverage, and the terms used on each insurer’s form, can vary, Lopilato said. In addition, cyberrisk policies “can contain exclusions for war and terrorism.”
Cyberpolicies must be customized to a motor carrier’s risks, the experts said.
“Fleets should understand the distinction between first- and third-party claims and assess their exposure based upon the number of records they have, their own internal IT platform and backup or disaster recovery plan, and then work to customize their coverage accordingly,” TrueNorth’s Cook said.
Memphis-based FedEx said that the June cyberattack caused lost revenue and higher costs for Netherlands-based TNT, which FedEx bought for $4.8 billion last year.
“Although we cannot currently quantify the amounts, we have experienced loss of revenue due to decreased volumes at TNT and incremental costs associated with the implementation of contingency plans and the remediation of affected systems,” the company said in the statement.
TNT Facilities Recovering — Gradually
FedEx said in July that all TNT facilities were running, but many tasks were being performed manually and customers were experiencing delays.
The insurance coverages that would apply to the TNT cyberattack, XL Catlin’s Donahue said, are business interruption, data restoration and forensics “due to the type of ransomware that attacked them and the outages caused by that ransomware.”
He added that the incident at TNT severely slowed down the processing of packages and shipments. From a business interruption standpoint, that is a third-party exposure because if they’re being relied upon to deliver shipments in a timely manner and are unable to, “that potentially opens them up to liability.”
FedEx also noted in its July statement, “While TNT operations and communications were significantly affected, no data breach or data loss to third parties is known to have occurred.”
FedEx had no additional comment beyond the July statement, a representative told Transport Topics on Aug. 16.