Property Damage from Cyber Incidents Malaysia: Will Your Fire or IAR Policy Pay?

A cyber attack on your factory's SCADA system caused equipment to overheat, triggering a fire. Alternatively, malware shut down cooling, and critical machinery failed. You filed a claim under your fire and all-risks policy, but the insurer is pushing back, saying cyber incidents are excluded.

This scenario exposes a coverage gap that many factories face: fire insurance does not cover cyber causes, and traditional cyber insurance does not cover physical property damage. In Malaysia, most fire and all-risks policies contain cyber exclusions that explicitly bar claims arising from cyber events, even if the physical loss is real.

This guide explains what fire and all-risks insurance actually cover, where the cyber gap exists, and how to close it with explicit endorsements.

How Cyber Incidents Cause Physical Property Damage

Cyber attacks on industrial facilities target operational technology (OT): SCADA systems, programmable logic controllers (PLCs), and distributed control systems (DCS). When these systems are compromised, physical damage can follow:

Malware may override safety interlocks, causing equipment to overheat or operate beyond design limits, triggering explosions, fires, or mechanical failure. Denial-of-service (DDoS) attacks can disable cooling systems, causing heat-based damage to sensitive equipment. Ransomware may prevent operators from shutting down systems safely, leading to cascade failures.

In worst cases, the damage extends beyond the targeted equipment to the surrounding facility.

The physical damage is real and measurable. The complication is that the root cause (cyber attack) may be excluded under traditional property insurance.

Fire Insurance and Cyber Exclusions

Standard fire insurance policies in Malaysia cover loss by fire, explosion, and defined perils (lightning, riot, aircraft impact, etc.). The policy covers damage to buildings, machinery, and contents caused by these perils.

However, most fire policies explicitly exclude loss caused by cyber events or computer system failures. The exclusion typically reads: "This policy does not cover loss or damage arising from or contributed to by computer virus, malware, hacking, or failure of computer systems." This blanket exclusion bars claims even if the physical loss (fire, explosion) would normally be covered.

Illustrative example, not a specific client case: a cyber attack on a factory's SCADA system causes a pressure vessel to fail and explode, triggering a fire that destroys RM2M of equipment and the building interior. A traditional fire policy would deny the claim entirely because the root cause (cyber attack) is excluded, even though the peril (fire and explosion) is normally insured.

The irony is that the insured peril (fire) is covered, but the exclusion on cause (cyber) bars the claim. This is the coverage gap.

All-Risks (IAR) Insurance and Cyber Exclusions

All-Risks Insurance (also called IAR or "Industrial All Risks") is broader than fire insurance. It covers loss to plant and equipment from any cause except those specifically excluded. All-Risks policies are common for factories with valuable machinery.

However, like fire policies, most All-Risks policies now include cyber exclusions. The exclusion bars claims arising from cyber events, even if the loss would otherwise be covered under the all-risks framework. The language is similar: "Exclusion: Loss or damage arising from computer virus, malware, hacking, or failure of any computer system."

The scope of cyber exclusions in All-Risks policies is often broader than in fire policies. Some All-Risks policies exclude not just direct loss by cyber, but also loss of profits or business interruption caused by cyber incidents. This creates a compounding gap: the equipment damage is excluded under the cyber exclusion, and business interruption is excluded separately.

All-Risks is still broader than fire, but cyber exclusions have significantly narrowed its scope for industrial facilities facing modern risks.

The Coverage Gap: What Is Not Covered

The coverage gap exists because: fire and all-risks policies exclude cyber causes, and standalone cyber insurance policies exclude physical property damage (they cover data breach liability, network interruption costs, and recovery expenses, but not building or equipment repair).

This gap exposes factories to uninsured cyber-caused physical loss. A factory with RM5M in fire insurance and RM2M in cyber insurance may still face a RM3M uninsured loss if a cyber attack causes property damage.

Regulatory environment in Malaysia compounds this. There is no mandatory cyber insurance requirement for factories, but OSHA 1994 and BOMBA fire code require that hazardous machinery be monitored and controlled safely. A cyber attack that disables safety systems may breach these requirements, and a claim denial due to cyber exclusion could leave the factory liable for non-compliance damage as well.

Closing the Gap: Cyber Property Damage Endorsements

Forward-thinking insurers in Malaysia now offer cyber property damage endorsements. These are add-ons to fire or all-risks policies that remove the cyber exclusion for physical property damage (while still excluding cyber-related business interruption or data loss, which remain within cyber insurance scope).

A cyber property damage endorsement typically covers: loss of or damage to physical property (buildings, machinery, equipment) directly caused by cyber attack, malware, hacking, or deliberate IT sabotage. The endorsement does not cover business interruption, data loss, or extortion; those remain excluded.

Cost of such endorsements varies: for a factory with RM5M in sum insured, a cyber property damage endorsement might cost RM5,000-RM15,000 per year (0.1-0.3% of sum insured), depending on the factory's cyber maturity (e.g., whether SCADA systems are air-gapped, whether monitoring is in place).

Cyber property damage endorsements are not yet standard in Malaysia, but they are available from forward-thinking carriers. Factories in high-risk sectors (chemicals, pharmaceuticals, food processing, electronics) should request these endorsements when renewing fire or all-risks policies.

Business Interruption and Cyber: A Separate Gap

Even if you obtain a cyber property damage endorsement, business interruption from cyber-caused downtime is not covered. Business interruption (BI) insurance covers loss of profits when the factory cannot operate due to property damage. However, if the loss is caused by a cyber attack, the BI claim is typically excluded under a separate cyber exclusion.

Standalone cyber insurance covers some cyber-related business interruption (if the policy includes "network interruption" or "dependent business interruption" coverage), but most cyber policies limit BI coverage to the direct cost of recovery (e.g., hiring IT forensics), not the lost profit from production downtime.

Illustrative example, not a specific client case: a factory facing a month-long shutdown after a ransomware-induced equipment failure might find a cyber property damage endorsement responding to equipment repair, business interruption excluded for the cyber cause, and a stand-alone cyber policy covering only response costs. The uninsured profit-loss exposure is often the largest single number on the page.

FAQ

Q: If fire damage is caused by a cyber attack, does my fire insurance cover it?

A: Most fire policies include cyber exclusions that bar claims arising from cyber causes, regardless of the peril (fire, explosion, etc.). The answer is usually no, unless your policy includes a cyber property damage endorsement. Check your policy's exclusions section or ask your intermediary for the exact wording.

Q: My all-risks policy has no cyber exclusion; am I automatically covered for cyber-caused damage?

A: Unlikely. Most modern all-risks policies issued from 2019 onward include cyber exclusions, often based on industry-standard wordings such as the Lloyd's Market Association LMA 5400 or the IUA 09-081 / 09-082 cyber exclusions, with the older Institute Cyber Attack Exclusion CL 380 still in circulation. Check your policy document for the cyber exclusion clause. If your policy is older and genuinely has no cyber exclusion, you have broader coverage than most, but verify with your intermediary before relying on this.

Q: Does my cyber insurance policy cover the property damage?

A: Standalone cyber insurance typically covers data breach liability, network interruption recovery costs, and extortion expenses. It does not usually cover physical property damage (equipment repair, building restoration). You need a cyber property damage endorsement on your fire or all-risks policy for that coverage.

Q: What is a cyber property damage endorsement?

A: It is an add-on to a fire or all-risks policy that removes the cyber exclusion specifically for physical property damage caused by cyber attack. It does not cover business interruption or data loss. Cost is typically 0.1-0.3% of sum insured per year.

Q: How do I know if my factory is vulnerable to cyber-caused property damage?

A: If your factory operates SCADA, PLC, or DCS systems connected to a network (even an internal network), you are vulnerable. If safety interlocks or critical equipment rely on these systems, damage is possible. An industrial cyber risk assessment (available from specialized firms) can identify vulnerabilities.

Q: Can I appeal a claim denial if the insurer says cyber is excluded?

A: Yes. You can challenge the exclusion through IDR (insurer dispute resolution) or PIAM if you believe the exclusion is unreasonably broad or does not clearly apply to your loss. However, if the exclusion is clearly written and the loss arose from a cyber cause, the appeal will likely fail. Prevention is better: obtain a cyber property damage endorsement before a loss occurs.

Foundation Conclusion: Closing the Cyber Gap

Traditional fire and all-risks insurance were designed before cyber attacks posed a physical threat. The policies exclude cyber causes, creating a gap between what property owners expect to be covered and what is actually insured.

Factories with operational technology (SCADA, PLC, DCS) systems face real risk of cyber-caused property damage. A single malware infection or DDoS attack can trigger fires, explosions, or equipment failures costing millions. Without explicit cyber property damage endorsements, these losses are uninsured.

Foundation is a specialist property and engineering insurance intermediary. We do not provide registration, certification, or training services. We help you insure the risks that compliance is designed to manage.

When advising on factory property coverage, we make sure your fire and all-risks policies include cyber property damage endorsements appropriate to your operational technology footprint.

Your next step is to review your fire and all-risks policies for cyber exclusions and confirm whether cyber property damage endorsements are in place. If not, request a quotation from your insurer before renewing.

Foundation Conclusion

This is the practical view for Malaysian operators and finance teams. The detail above is the working knowledge a quote conversation can draw on; the actual placement decision rests on your specific situation.

Foundation works with property and engineering insurers across Malaysia, packaging risks so the resulting cover reflects what the work actually involves.

Talk to our risk specialists

Disclaimer: This article provides general guidance on insurance coverage available in the Malaysian market as of May 2026. Premium ranges cited are industry-reported indicative figures, not Foundation rates. Policy terms, conditions, and availability vary by insurer. Always review your specific policy wording or consult a qualified insurance professional before making coverage decisions. Foundation is a specialist property and engineering insurance intermediary.