The exclusions are an important part of any liability insurance policy, but this is particularly true of cyber liability insurance polices. In the following guest post, Robert Bregman, CPCU, MLIS, RPLU, Senior Research Analyst, International Risk Management Institute, Inc., takes a look at the ten of the most common exclusions found in cyber liability and privacy insurance policies. This guest post is an excerpt taken from a longer article entitled “Cyber and Privacy Insurance Coverage” that appeared in the July 2015 edition of The Risk Report, and is copyrighted by IRMI. Learn more about The Risk Report here.
I would like to thank Bob for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to submit a guest post. Here is Bob’s article.
As is the case with virtually every type of management liability insurance, the true extent of coverage that any given policy provides is a function of its exclusionary language. Accordingly, this article will analyze both the differences and similarities between 10 of the most common exclusions found within cyber and privacy policies. Its goal is to assist the reader in negotiating exclusionary wording that maximizes the scope of coverage a policy will provide in the event of a claim.
Bodily Injury and Property Damage. Cyber and privacy forms exclude coverage for claims alleging bodily injury and property damage. This is because such losses are covered under CGL/property insurance policies. However, cyber policies should contain language that excepts—and thus covers—“mental anguish,” “shock,” “emotional distress,” and “humiliation.” This is important, because in addition to alleging financial losses, data breach-related lawsuits also sometimes include these types of allegations.
War, Invasion, Insurrection. Nearly all of the policies exclude coverage for claims caused by war, invasion, insurrection, and similar perils. To insureds’ detriment, a number of insurers also exclude coverage for “terrorism” within this exclusion. Yet, language of this kind is problematic, because virtually every intentionally caused cyber-related hacking or intrusion event could be considered “terrorism,” thus affording the insurer an opportunity for a coverage denial. One means of moderating the scope and effect of such wording is for insureds to request that this exclusion be amended to affirmatively cover “electronic terrorism.” Wording of this kind would preserve coverage for hacking/intrusion-driven losses—although it still might preclude coverage if, for example, an insurer were to assert that an individual who stole paper files containing PII had engaged in an act of “terrorism.”
Fraud, Criminal, Dishonest Acts. Although the policies exclude coverage for fraudulent, criminal, and dishonest acts, make sure this exclusion is worded so that it only applies when these acts are committed by an insured and not by third parties. Such wording preserves coverage to defend insureds if they are accused of criminal acts. The language of this exclusion should also include defense coverage for: (a) “innocent insureds” (for situations where one or more insureds did commit an intentional act, but others did not) and also (b) contain “final adjudication” defense wording.
Patent, Software, Copyright Infringement. Patent infringement claim exposures are excluded by cyber policies because they can be covered by intellectual property (IP) insurance forms. Nevertheless, the broadest cyber policies affirmatively cover the defense costs associated with copyright infringement claims, provided they are caused by non-management employees or by outside, third party technology providers.
Mechanical or Electrical Breakdown/Failure. The policies exclude coverage for losses caused by mechanical or electrical failures and breakdowns for two reasons. First, such failures do not usually result from data breaches. Second, when these kinds of breakdowns do cause business interruption, the resulting losses are normally insurable under standard property policies. Yet, some mechanical failures can be caused by hackers who, for example, overload a system (i.e., by using a “spam attack” or by introducing a virus, that shuts down a system). As a consequence, insureds should request wording that excepts and thus covers mechanical/electrical failures that are intentionally caused by hackers.
Failure To Follow Minimum Required Security Practices. Applications for cyber and privacy insurance policies routinely contain detailed questions regarding the steps the applicant is currently taking to protect its electronic data. Accordingly, a growing minority of policies exclude coverage in the event it can be established that a claim was caused by a failure to continue implementing such measures (e.g., not regularly checking and maintaining security patches). Fortunately, this exclusion is not (yet) universal. Therefore, an insured can avoid it by selecting a policy that does not contain an exclusion for failing to follow minimum security practices. If this is not possible, the insured should first, take great care when completing a coverage application, making sure not to overstate the scope of its current cybersecurity measures. Second, once coverage is in place, insureds must closely and continuously monitor the extent to which the procedures enumerated within the application are actually being implemented.
Professional Services. This exclusion eliminates coverage for what are essentially technology E&O exposures (i.e., providing technology products and services to others for a fee), rather than losses resulting from data protection issues—the essence of the coverage provided by cyber and privacy insurance. Therefore, technology businesses such as cloud providers and website designers providers should buy “tech E&O” coverage, rather than cyber and privacy insurance.