How can a malicious keystroke lead to burst pipes, overridden security systems, or even physical injuries?
As businesses increasingly rely on automation, interconnected operational technology (OT), and artificial intelligence, the potential for cyber incidents to inflict real-world damage is accelerating. However, many organizations may not realize their current insurance programs are ill-equipped for this evolving “cyber-physical” risk.
John Farley (pictured), managing director of Gallagher’s cyber liability practice, warned that traditional property policies often exclude cyber-related events, while standalone cyber policies vary widely in whether they cover bodily injury, property damage, or environmental harm.
“Cyber threats are no longer confined to simply data breaches or network failures,” Farley said. “They’re extending to the potential to cause physical damage to property, bodily injury, and even environmental damage.”
Historically, physical damage was the domain of property and general liability insurance. But as OT environments become tightly integrated with IT networks, the line is blurring. When a cyber-physical claim occurs, the question then becomes: which policy responds?
“If you look back over recent years, traditional policies such as property insurance have imposed broad exclusionary language around cyber-related physical damage losses,” Farley told Insurance Business. “That pushes us toward standalone cyber policies.”
Some policies extend coverage to physical damage resulting from a cyber event, such as a manufacturing plant’s network failure causing over-pressurized equipment to explode, while others stop at data-centric losses.
Determining which policy applies starts with reading the exclusionary language in both property and cyber contracts and, ideally, negotiating broader terms at renewal. Farley said brokers should be prepared to guide clients through this process and ensure that their coverage structures anticipate such disputes.
Artificial intelligence (AI) introduces more complexity to this emerging risk. As AI tools take on decision-making roles, incorrect or maliciously manipulated inputs could trigger unsafe actions in physical systems.
At the same time, AI-powered deepfake technology is making social engineering scams vastly more convincing. Unlike traditional phishing, which can often be spotted by its bad grammar, deepfakes can replicate an individual’s voice or likeness with unsettling accuracy.
“Now, someone can take a CEO’s voice, manipulate it, and make it say things they never said. A deepfake voicemail from a CEO could instruct an urgent million-dollar transfer, and an employee might take action,” Farley said. “We need to step up our game in terms of recognizing these types of attacks.”
From an insurance standpoint, deepfake incidents may not fit neatly into traditional cyber definitions, since no network intrusion or data breach occurs. If losses from deepfakes grow, Farley said carriers may soon introduce new exclusions or require separate endorsements for coverage.
When cyber-physical damage occurs, attribution is key. The standard approach, Farley said, is to deploy forensic IT investigators to trace the threat actor’s digital footprint.
“These experts track the digital footprints, determine where the intruder went, what they did, and whether they’re still in the system. That’s standard procedure after a cyber event, and it’s how you confirm whether it was truly cyber-related,” Farley said.
This forensic clarity is critical in disputes over whether a loss should be covered under a cyber or property policy. Without it, businesses risk falling into a coverage gap.
While any connected business faces exposure, Farley identified manufacturing, transportation, energy, and hospitality as particularly vulnerable. In hospitality, for example, cyber-compromised building management systems could activate sprinklers or disable safety systems, causing significant physical damage.
Underwriters assessing this risk will probe deeply into an organization’s network architecture, asking about IT/OT segregation, firewalls, access controls, and advanced monitoring tools such as endpoint detection and response.
Farley emphasized that bridging the protection gap for cyber-physical risk requires more than buying coverage.
“It starts with training everyone to recognize this threat and verify requests, especially for fund transfers,” he said. “It may be low-tech, but verification protocols are critical. Technology to detect deepfakes is emerging, and some businesses are exploring it now.”
