Cyber-physical convergence

Category: Cyber-physical risk · Reviewed by Amy Price, Account Executive · Last reviewed 2026-06-10

Cyber-physical convergence refers to the phenomenon by which cyber incidents — malware, ransomware, intrusion or denial-of-service — produce physical damage to property, equipment or operations, blurring the historical boundary between cyber and property insurance.

The trio of NotPetya (June 2017), Triton/Trisis (Saudi Arabia, August 2017) and Colonial Pipeline (May 2021) crystallised cyber-physical convergence as a defining insurance issue. The London market’s response has been to clarify silent cyber coverage and to introduce a standardised family of cyber war exclusion clauses.

Definition

Cyber-physical convergence is observable in three principal modes:

1. Cyber as cause of physical damage — malware causes machinery to operate outside safe parameters or causes a control system to release product (Triton/Trisis targeted safety instrumented systems at a petrochemical plant).
2. Cyber as cause of business interruption with physical consequence — ransomware halts production (Norsk Hydro 2019; Colonial Pipeline 2021) or shipping logistics (Maersk in NotPetya 2017).
3. Cyber as trigger for cascading infrastructure failure — attacks on energy or water systems with downstream property and BI losses.

The insurance question — historically known as “silent cyber” — is whether a cyber-induced loss is covered under a property, marine, casualty or specialist cyber policy. The market has moved decisively toward affirmative coverage and explicit exclusions.

Legal / Regulatory basis

The legal and supervisory framework includes:

• IAIS Issues Paper on Cyber Risk to the Insurance Sector (2016) — the foundational supervisory document.
• IAIS Application Paper on Supervision of Insurer Cybersecurity (2018); Application Paper on Cyber Risk Underwriting (2020) — supervisory expectations on underwriting practice and accumulation management.
• PRA Supervisory Statement SS4/17, Cyber insurance underwriting risk (July 2017) — required PRA-authorised insurers to identify, manage and report on silent and affirmative cyber exposure.
• Lloyd’s Market Bulletins Y5258 (4 January 2019) and Y5277 (8 July 2019) — the Performance Management Directorate’s direction on mandatory cyber exclusions and affirmative grants.
• Lloyd’s Market Bulletin Y5381 (16 August 2022) — cyber war and state-backed cyber-attack exclusion requirement for standalone cyber policies issued from 31 March 2023.
• LMA cyber war exclusion clauses — LMA5400, LMA5401, LMA5402, LMA5403, LMA5448, LMA5451 (August 2022), in force from policies inceptioning on or after 31 March 2023.
• CL380 — Institute Cyber Attack Exclusion Clause (10 November 2003) — the long-standing marine cyber exclusion.
• Computer Misuse Act 1990 — criminal framework.
• Network and Information Systems Regulations 2018 — for operators of essential services.
• Cyber Security and Resilience Bill 2024–25 — proposed expansion of NIS in the UK.
• EU NIS2 Directive (EU 2022/2555) and EU DORA (Regulation (EU) 2022/2554) — applicable to EEA-based operations.

How it works in practice

Insurers manage cyber-physical convergence through four mechanisms:

1. Affirmative grant or exclusion — every property, marine, casualty and engineering policy must take a position on cyber-induced losses. Lloyd’s requires explicit treatment.
2. War exclusion clauses — the LMA5400 family introduces a structured exclusion of state-backed cyber attacks, with attribution provisions and define-out language for cyber operations.
3. Cyber-physical hybrid products — specialist cyber-property cover for industrial operators, often with named perils and detailed cyber risk-engineering conditions.
4. Accumulation management — insurers model systemic cyber-physical scenarios (cloud outage, ICS attack) for capital and reinsurance.

The Lloyd’s Cyber Risk Code and PRA SS4/17 require explicit recognition of silent cyber exposure in insurers’ Internal Models and reserving.

Common variations / Subsequent developments

• NotPetya (June 2017) — wiper malware attributed to Russian state actors; Merck & Co (US), Mondelez and Maersk among the largest losses. Litigation between Merck and its property insurers (resolved 2024) and Mondelez and Zurich (settled 2022) tested war-exclusion application.
• Triton/Trisis (Saudi Arabia, August 2017) — malware targeting Schneider Triconex safety instrumented systems at a petrochemical plant.
• Colonial Pipeline (May 2021) — DarkSide ransomware caused a six-day shutdown of a major US fuel pipeline.
• Norsk Hydro (March 2019) — LockerGoga ransomware crippled aluminium production.
• NHS WannaCry (May 2017) — disruptive but limited UK property damage.
• Cyber war exclusions — Merck v Ace American (New Jersey Appellate, 2022 / 2024) interpreted the traditional war exclusion narrowly, driving the LMA’s 2022 cyber war exclusion redrafting.
• Cyber catastrophe bonds — Beazley and others issued cyber cat bonds from 2023 to manage tail exposure.

The LMA5400 family is the dominant market-standard. Brokers typically place LMA5402 or LMA5403 (the more permissive variants in the family) for sophisticated buyers, while LMA5400 is the strictest.

Example

A UK manufacturer’s automotive plant is hit by ransomware in 2026 attributed to a criminal group. Production halts for nine days. Restoration of the OT environment, rebuild of PLC firmware, and ransomware response costs are paid under a standalone cyber policy (subject to LMA5400 cyber war exclusion). Property damage — replacement of a damaged production line — is paid under a cyber-property hybrid policy. Business interruption is split between the cyber BI sub-limit and the property BI section under a coordinated grant. The losses are notified under both policies; the claims are handled jointly to avoid double recovery.

See also

• OT/IT convergence insurance
• Industrial IoT insurance
• Connected building insurance
• Cyber insurance
• Cyber liability
• LMA cyber exclusion
• CL380
• Lloyd’s
• Prudential Regulation Authority

References

• IAIS, Issues Paper on Cyber Risk to the Insurance Sector (2016), iaisweb.org.
• IAIS, Application Paper on Supervision of Insurer Cybersecurity (2018); Application Paper on Cyber Risk Underwriting (2020).
• PRA, Supervisory Statement SS4/17 — Cyber insurance underwriting risk (July 2017).
• Lloyd’s, Market Bulletins Y5258 (January 2019), Y5277 (July 2019), Y5381 (August 2022).
• LMA cyber war exclusion clauses LMA5400, LMA5401, LMA5402, LMA5403, LMA5448, LMA5451 (August 2022).
• Institute Cyber Attack Exclusion Clause CL380 (10 November 2003).
• Computer Misuse Act 1990.
• Network and Information Systems Regulations 2018, SI 2018/506; Cyber Security and Resilience Bill 2024–25.
• Directive (EU) 2022/2555 (NIS2); Regulation (EU) 2022/2554 (DORA).
• Merck & Co v Ace American Insurance Co (Superior Court of New Jersey, 2022 / 2024).

This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.

Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.