Silent Cyber in Property Insurance: The Coverage Gap Your Policy Does Not Address

Modern homes and commercial buildings are increasingly dependent on digital systems. Smart thermostats control HVAC systems. Internet-connected water sensors monitor for leaks. Building management systems regulate everything from lighting to fire suppression. Security cameras, smart locks, and automated irrigation systems are connected to the internet and controlled through mobile applications. This growing reliance on interconnected technology has created a category of risk that the traditional property insurance policy was never designed to address: the risk that a cyber event — a hack, a malware infection, a ransomware attack, a software malfunction — causes physical damage to the insured property.

The insurance industry calls this problem “silent cyber” — cyber risks that fall into a gray area because the property policy neither explicitly covers them nor explicitly excludes them. The result is a coverage gap that most policyholders do not know exists until a loss occurs and the claim is disputed.

What “Silent Cyber” Means

The term “silent cyber” describes the exposure that exists when a traditional insurance policy — one designed for physical perils like fire, wind, water, and theft — does not specifically address cyber-related causes of loss. The policy is “silent” on whether cyber events are covered.

In an open-peril property policy (like the HO-3), this silence historically favored the policyholder. Under an open-peril policy, all causes of loss are covered unless a specific exclusion applies. If the policy does not exclude cyber-caused damage, the argument follows that cyber-caused physical damage is covered. The insurer bears the burden of proving that an exclusion applies — and a policy that does not mention cyber events contains no cyber exclusion. For background on how exclusions work in property policies, see the dedicated article on that topic.

The insurance industry recognized this gap as a significant unpriced exposure. Insurers were potentially liable for cyber-caused physical damage claims under policies priced only for traditional physical perils. This realization launched what the industry has termed the “end of silent cyber” movement — an effort to explicitly address cyber risks in every property policy, either by excluding them or by providing defined, priced coverage.

How Silent Cyber Affects Property Claims

The scenarios in which cyber events cause physical property damage are no longer theoretical. As buildings become more connected, the potential for a digital failure to result in tangible physical damage has grown from a hypothetical concern to a documented reality.

Smart Home System Failures Causing Physical Damage

A compromised smart thermostat could disable a heating system during freezing weather, causing pipes to burst and resulting in extensive water damage. A hacked smart home hub could deactivate leak detection systems, allowing a slow water leak to go undetected for days or weeks. A malfunctioning smart appliance — an oven that fails to shut off, a dryer that overrides its temperature limits — could cause a fire. In each scenario, the physical damage is real and tangible, but the cause is digital.

Under a traditional property policy that is silent on cyber, the coverage analysis depends on how the loss is characterized. If the insurer treats the cause as the physical peril (fire, water damage), coverage should apply. If the insurer traces the cause back to the cyber event (the hack, the malware, the software malfunction), the insurer may argue that the loss falls outside the policy’s intended scope — or invoke a cyber exclusion if one has been added.

Ransomware Affecting Building Systems

Ransomware attacks on building management systems are a growing concern, particularly for commercial properties but increasingly for high-end residential properties with sophisticated automation. If ransomware disables a building’s HVAC controls during extreme weather, the resulting temperature excursions can cause pipe bursts, equipment failures, mold growth from humidity loss of control, and damage to temperature-sensitive contents. The physical damage is a direct consequence of the cyber attack, but the question of whether the property policy covers it depends on the policy language.

Cyberattack on Utility Infrastructure

A cyberattack on the electrical grid or other utility infrastructure could cause power surges, voltage fluctuations, or sustained outages that damage connected equipment, appliances, and building systems. A power surge caused by a grid-level cyber attack is physically indistinguishable from a power surge caused by a lightning strike or equipment failure at the utility — but its cause is fundamentally different. Whether the property policy covers the resulting damage may depend on whether the policy contains a cyber exclusion and, if so, whether the exclusion applies to infrastructure-level cyber events that affect the insured property indirectly.

Properties with equipment breakdown coverage may have an additional layer of protection for damage to electrical and mechanical systems, but even equipment breakdown policies are increasingly adding cyber-related exclusions or limitations.

IoT Device Malfunction from Malware

The Internet of Things (IoT) has placed millions of connected devices in homes and businesses — from smart water heaters to connected garage door openers to Wi-Fi enabled smoke detectors. These devices have notoriously poor cybersecurity and are frequent targets for malware. A malware-infected IoT device that malfunctions and causes a fire, flood, or other physical damage presents a coverage question that most property policies do not cleanly answer. The physical damage is covered under traditional policy terms, but the cyber cause may trigger an exclusion — or at least a coverage dispute.

The Industry Response: Ending Silent Cyber

Beginning around 2019, the insurance industry initiated a concerted effort to eliminate silent cyber exposure from traditional property policies. The Insurance Services Office (ISO), which publishes the standardized policy forms used by most insurers, introduced several endorsements designed to explicitly address cyber risks in property policies. Lloyd’s of London mandated that all policies either affirm or exclude cyber coverage by a specified deadline. The goal was to ensure that every property policy takes a clear position on cyber-caused damage, eliminating the ambiguity that “silent cyber” represents.

The industry’s response has taken two general forms, each with different implications for policyholders.

The Limited Cyber Coverage Endorsement

Some insurers have adopted endorsements that provide limited, defined coverage for cyber-caused physical damage. These endorsements typically acknowledge that cyber events can cause physical damage and provide coverage for such damage, but with restrictions. Common limitations include sub-limits on cyber-related claims (often significantly lower than the policy’s overall coverage limits), waiting periods before business interruption coverage applies, exclusions for losses caused by nation-state cyber attacks or acts of cyber war, and requirements that the cyber event result in direct physical damage (not just data loss or business disruption).

The limited cyber coverage approach is better than silence because it confirms that some coverage exists. However, the sub-limits and restrictions can leave policyholders significantly underinsured for major cyber-caused physical losses.

The Absolute Cyber Exclusion

Other insurers have taken the opposite approach, adding broad cyber exclusions to property policies that eliminate coverage for any loss caused by or resulting from a cyber event. These exclusions are typically drafted broadly, excluding loss or damage “caused by, contributed to by, resulting from, arising out of, or in connection with” any cyber event, including but not limited to unauthorized access to computer systems, malware, ransomware, denial of service attacks, and the use or operation of any computer system or electronic device.

The breadth of these exclusions is concerning for policyholders. Under a broadly drafted cyber exclusion, a fire caused by a malfunctioning smart appliance could be excluded if the malfunction resulted from a software error or cyber intrusion. Water damage from a failed smart water valve could be excluded if the failure was caused by a firmware bug. The physical damage is identical to damage from non-cyber causes, but the cyber nexus triggers the exclusion.

What Policyholders Need to Know

Review the Policy for Cyber Language

The first step is understanding the current policy’s position on cyber risks. Read the declarations page, the policy form, and every endorsement. Look for any language referencing cyber events, computer systems, electronic data, digital technology, or similar terms. If the policy is silent, coverage for cyber-caused physical damage may exist under the open-peril structure, but this position may be tested if a claim arises. If the policy contains a cyber exclusion, understand its scope — some exclusions are narrowly drafted to exclude only pure cyber losses (data loss, ransomware payments) while preserving coverage for ensuing physical damage, while others are broadly drafted to exclude all losses with any cyber nexus.

Understand the Ensuing Loss Question

Many property policies contain ensuing loss provisions that preserve coverage for physical damage that results from an otherwise excluded cause. If a policy excludes cyber events but contains an ensuing loss clause, the question becomes whether physical damage caused by a cyber event constitutes an “ensuing loss” that is covered despite the cyber exclusion. For example, if malware disables a heating system and pipes freeze and burst, the water damage is physical damage that “ensued” from the excluded cyber event. Whether the ensuing loss clause preserves coverage for this water damage is a question of policy interpretation that courts have not yet uniformly resolved.

For policyholders, the ensuing loss argument is one of the most important potential protections against broad cyber exclusions. Understanding whether the policy contains an ensuing loss clause and how it interacts with any cyber exclusion is essential.

Consider Standalone Cyber Coverage

As property policies increasingly exclude or limit cyber-related coverage, standalone cyber insurance policies have emerged to fill the gap. For homeowners, standalone cyber policies are available through some insurers and typically cover data breach costs, cyber extortion (ransomware payments), identity theft expenses, and in some cases, physical damage resulting from cyber events. For commercial property owners, cyber insurance is increasingly viewed as essential, with policies available that specifically address cyber-caused physical damage and the business interruption that follows.

The key is ensuring that the standalone cyber policy covers physical damage to property, not just data loss and liability. Many homeowner-level cyber policies focus on data breach and identity theft rather than property damage, which means they may not fill the gap left by a property policy’s cyber exclusion. Commercial cyber policies are more likely to address the physical damage angle, but coverage varies significantly by insurer and policy form.

The Commercial Property Angle

The silent cyber problem is particularly acute for commercial property insurance, where the stakes are higher and the exposures are greater. Commercial buildings rely more heavily on digital building management systems, automated processes, and interconnected technologies than residential properties. The potential for a cyber event to cause significant physical damage and extended business interruption is correspondingly greater.

Business Interruption from Cyber Events

One of the largest emerging coverage disputes involves business interruption losses caused by cyber events. A ransomware attack that shuts down a building’s operations, a cyber event that disables manufacturing equipment, or a hack that compromises a building’s safety systems and forces evacuation can all cause significant business interruption losses. Whether the commercial property policy’s business interruption coverage responds depends on whether the policy requires a “direct physical loss” to trigger business interruption coverage and whether a cyber event constitutes or causes such a loss.

Many commercial property policies have been amended to address this question explicitly, but the answers vary. Some policies now exclude all business interruption resulting from cyber events. Others provide limited coverage with sub-limits. Still others are silent, creating the same ambiguity that the “end of silent cyber” movement was intended to resolve.

California Consumer Protection Considerations

California’s insurance regulatory framework provides several protections that may be relevant in cyber-related coverage disputes. The reasonable expectations doctrine holds that ambiguous policy language should be interpreted in favor of the policyholder’s reasonable expectations. If a homeowner purchases a property policy expecting it to cover fire damage, and a fire is caused by a cyber event, the homeowner’s reasonable expectation is that the fire damage is covered regardless of its digital origin. An insurer seeking to deny this expectation through a broadly worded cyber exclusion faces an uphill argument under California law.

Additionally, California’s rules of policy interpretation require that exclusions be conspicuous, plain, and clear. A cyber exclusion buried in an endorsement that uses technical jargon unfamiliar to the average policyholder may not meet this standard. And California’s contra proferentem rule requires that any ambiguity in the exclusion be resolved in favor of coverage.

These consumer protection principles do not guarantee coverage for cyber-caused physical damage, but they provide important legal tools for policyholders who find themselves in a coverage dispute over a cyber-related loss.

Practical Advice

• Review the property policy for cyber language now. Do not wait until a loss occurs to discover whether the policy addresses cyber risks. Look for endorsements or exclusions referencing cyber events, computer systems, or electronic technology.
• Ask the insurer or agent directly. Inquire whether the policy covers physical damage caused by a cyber event. Get the answer in writing. If the answer is no, ask what coverage options are available.
• Consider standalone cyber coverage for the home. If the property policy excludes or limits cyber-related coverage, a standalone cyber policy may fill the gap. Ensure any standalone policy covers physical damage to property, not just data breach and liability.
• Secure smart home systems. Basic cybersecurity hygiene reduces the risk of a cyber event causing physical damage: use strong, unique passwords for all connected devices; keep firmware and software updated; use a dedicated network for IoT devices separate from the primary home network; and disable remote access features that are not being used.
• Document all connected devices.Maintain a list of all internet-connected devices in the home, including make, model, firmware version, and function. This documentation is useful both for claim purposes and for evaluating the home’s cyber risk profile.
• For commercial properties, make cyber insurance a priority. The intersection of cyber risk and physical property damage is an area where commercial policyholders cannot afford gaps. Work with a broker experienced in both property and cyber insurance to ensure that the two programs work together without leaving uncovered exposures between them.

The Future of Silent Cyber

The “end of silent cyber” movement has made significant progress in clarifying the insurance industry’s position on cyber-related physical damage, but it has not resolved all questions. Many residential policies remain silent on cyber risks. Commercial policies that have addressed cyber often do so through broad exclusions that may not survive legal challenge when applied to claims involving tangible physical damage. And the technology landscape continues to evolve faster than policy language can be updated.

For policyholders, the practical implication is that cyber risk in property insurance is an area of active uncertainty. The best protection is awareness — knowing what the current policy says (or does not say) about cyber risks, understanding the evolving endorsements and exclusions that insurers are introducing, and obtaining standalone cyber coverage when the property policy leaves gaps. In an increasingly connected world, the assumption that a property policy covers all physical damage to the home may no longer be safe without verification.