Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Insurers prepare for implementation of new cyber liability exclusions

Reprints
Insurers prepare for implementation of new cyber liability exclusions

Against the backdrop of Target Corp.'s massive data breach last month, the looming implementation of new cyber liability exclusions under standardized commercial liability policy forms should prompt companies to thoroughly review their insurance programs.

The Insurance Services Office Inc.'s recent revisions of its standard commercial liability policy forms could leave many firms with substantial gaps in their coverage of losses stemming from data breaches, experts said last week.

Approved by insurance regulators in all but four U.S. states and territories and effective on or after May 1, ISO's revisions are the latest indication of the insurance industry's ongoing effort to eliminate coverage for damages resulting from malicious or accidental data breaches under commercial liability policies, insurance experts said.

In its filing, ISO said that its commercial general and umbrella liability forms were developed long before losses of electronic customer or corporate information were considered a widespread threat.

“Even when we introduced our commercial umbrella policy in 2000, data breaches and hacking still weren't all that prevalent,” said Ron Beiderman, assistant vice president of ISO's commercial casualty division in Jersey City, N.J. “As a result, coverages related to the access or disclosure of personal or confidential information weren't really contemplated under these commercial liability policies.”

%%BREAK%%

ISO's revisions to its general liability policy form consist primarily of a mandatory exclusion of coverage for personal and advertising injury claims arising from the access or disclosure of confidential information.

In addition to third-party damage claims, the exclusion also eliminates coverage for costs associated with data breach notifications, credit monitoring, forensic investigations, public relations campaigns and other expenses typically incurred by companies when confidential data is willfully or accidentally accessed and/or disclosed.

“It's essentially all of the crisis management costs that usually flow out of a data event,” said Roberta Anderson, a Pittsburgh-based partner at K&L Gates L.L.P. “Of course, the actual scope of the exclusion is going to need to be tested through the courts, so I think it will take a little while for the revision to make its way into policies.”

Importantly, the mandatory exclusion retains a provision ISO added to its general liability form in April 2013 for bodily injury claims arising from the loss of use or access, corruption or deletion of electronic data.

One optional version of the exclusion available to insurers using ISO's standard general liability form eliminates the exception for bodily injury claims, while a second optional version would apply only to personal and advertising injury claims, leaving the form's existing language regarding coverage of bodily injury claims stemming from a data breach unchanged.

“Recognizing the fact that not all risks are the same, it made sense for us to put different options out there to address the variability of companies and the exposures that they have,” Mr. Beiderman said.

%%BREAK%%

ISO also introduced an identical menu of exclusions under its commercial umbrella liability form and its commercial excess liability form, as well as optional exclusions under its owners and contractors protective liability and products/completed operations liability form.

Though it is not expressly addressed in ISO's filing document, Mr. Beiderman said damages to tangible property resulting from a data breach likely would not be covered under any version of the revised standard GL form.

Similarly, property damage resulting from a data breach — regardless of its nature — likely would not be covered under a stand-alone cyber insurance policy, experts say. The ISO standard property form only treats data breaches/cyber attacks as covered causes of loss under an optional, additional coverage endorsement for the restoration of a policyholder's data that's damaged, corrupted or destroyed in the cyber attack. That coverage only applies if the attack was a virus, harmful code or similar instruction introduced or enacted on a computer system and was designed to destroy or damage any part of the system or disrupt its operation.

The potential gap in coverage for damage to physical property triggered by computer hacking, an accidental loss or corruption of data could be particularly troublesome for utility companies, transit systems and other large-scale industrial operations identified by the U.S. Department of Homeland Security as potential targets of cyber-terrorism.

“The omission of property damage from the (general liability) revised form is a pretty clear indication that ISO doesn't intend to cover it under a general liability policy,” Ms. Anderson said.

%%BREAK%%

With the exception of several industry segments, studies indicate that purchasing stand-alone cyber and privacy liability insurance products has been consistently sluggish during the past three years, despite the rapid expansion of cyber liability exposures

However, given that the vast majority of general liability policies in the U.S. are written in part or in their entirety on ISO's standard form, experts said the new and broadened data breach exclusions under that form in particular could trigger a significant boost in cyber insurance placements this year.

“The takeup rate for these kinds of policies tends to be higher within certain industries, particularly those that are heavily regulated, such as financial services, health care and technology,” said Catherine Mulligan a New York-based senior vice president at Zurich North America.

About 30% of companies bought some form of cyber liability coverage last year, according to a report by the Traverse City, Mich.-based Ponemon Institute L.L.C.

“It also tends to be more popular among larger companies with more than $1 billion in revenue,” Ms. Mulligan said.