There are many cyber insurance products available for purchase, and each is somewhat unique. Some products are more comprehensive than others. Some cyber insurance products are combined with insurance policies of another type; for example, technology errors and omissions liability insurance. And, there is some important “cyber” insurance protection available in insurance policies which might not immediately be recognized as providing such coverage.
This article will describe the process involved with the selection of effective cyber insurance coverage.
Evolution of (Specific) Cyber Insurance
The first policies which began to address the emerging issues involving the use of the Internet, and related privacy/security liability issues, began to appear near the end of the 1990s. They were expensive, and carried exclusionary language for situations such as “failure to promptly install a software patch,” and the scope of coverage was limited primarily to electronic-related security and privacy allegations. Underwriters expressed concern for the possibility of a worldwide aggregation of virus planting, hacking or electronic grid problems. But the coverage evolved with new insurers entering the market and with efforts to improve coverage.
Soon, broad first-party (interruption in online earning stream) coverage was available and the scope of the liability coverage had expanded to provide coverage on an “enterprise wide” basis. At present, there are numerous insurers willing to underwrite various levels of cyber coverage, and each policy has its own nuances. We’ll address some of these nuances later in this article.
Other Sources of Protection
Commercial General Liability – The Policy Definition of “Personal Injury.” While it is safe to state that underwriters were not anticipating most currently known cyber exposures in the design and underwriting of insurance products appearing prior to the 1990s, it is also safe to state that there may be some coverage in “traditional” insurance policies.
Any good insurance broker would go to extreme lengths to try to find coverage based upon the claim situation at hand. An example might be lawsuit allegations to the effect of “invasion of privacy/confidentiality.” Certainly, cyber insurance policies — and perhaps certain technology errors and omissions liability policies, and even some professional liability policies — may provide this coverage. But it’s also true that many commercial general liability (CGL) policy forms, under the definition of “Personal Injury,” will likely provide some form of cyber coverage, as well.
Typical policy language will include an affirmative coverage statement for “publication or utterance of material which violates an individual’s right to privacy.” While this language isn’t broad enough to encompass coverage for liability arising out of hacking situations, there could be coverage for plaintiff allegations matching — or even coming close — to the coverage afforded, although it must be remembered that most CGL insurance is written on an “occurrence” basis, and not on a “claims made” basis. It is also true that some insurers will further endorse the CGL policy to specifically exclude claims brought by customers of the insured organization, which greatly limits the overall scope of any coverage otherwise provided.
Employment Practices Liability (EPL). The purpose of EPL insurance is to defend and provide settlement coverage for situations primarily focused on employee-generated allegations of discrimination, harassment and wrongful termination. On an ancillary basis, many insurers will include coverage for “employment related” breach of privacy. Sometimes the qualifying terminology “employee-related” is not included, which significantly expands the overall scope of the extension. Regardless, if the plaintiff allegations include mention of employment-related breach of privacy/confidentially, the EPL policy can be looked to for possible insurance defense/settlement, depending upon the exact language used by the underwriter in the basic EPL insuring provisions, and the specific allegations advanced by the plaintiff.
In addition, many insurers routinely include a coverage extension for such claims brought by non-employees, such as customers, vendors and others. If this extension is in place on the EPL insurance, and the language used to extend the coverage isn’t restricted in such a way as to prevent the insurer from denying plaintiff allegations of customer-related breach of privacy/confidentiality, then protection could conceivably exist within the EPL policy for such allegations. The lack of such a restriction isn’t likely, but it is possible. Anything is possible with insurance language from insurer to insurer.
Fiduciary Liability Insurance. The Employee Retirement Income Security Act (ERISA), effective Jan. 1, 1975, was designed to provide federal regulation of employee benefit plans. Following its implementation, several insurers rushed to introduce liability insurance coverage that would defend and protect persons within organizations charged with administering and implementing employee benefit plans. These new insurance products were known as fiduciary liability insurance policies.
Over the ensuing years, the ERISA legislation was amended by additional federal legislation, one of which was the Health Insurance Portability and Accountability Act (HIPAA), which was aimed at the removal of barriers to hiring persons with serious medical situations (or dependents thereof), for fear of a negative impact upon employer group insurance pricing. Additionally, there was the mandate that employers would be required to protect the privacy or employee medical and health-related information.
Beginning in the early 2000s, some insurers began offering HIPAA Civil Money Penalties coverage as an endorsement to fiduciary liability insurance policies (usually subject to a policy sub-limited limit of insurance).
Following the passage of President Obama’s stimulus legislation, effective in February 2010, it was learned that this legislation contained a provision amending the HIPAA legislation, whose official name is the Health Information Technology for Economic and Clinical Health, or HITECH. The purpose of HITECH was to mandate prompt notice to employees by employers in the event of a data security breach, with special requirements when 500 or more employees’ records are affected by the breach.
So, fiduciary liability insurance has an important, if ancillary, role to play in securing the best possible insurance for cyber-related exposures. The best approach: Be certain that HIPAA civil money penalties are covered, and make certain that no fiduciary liability exclusion exists for HITECH exposures.
Crime Insurance. There may also be some coverage under certain crime insurance policies for cyber-related exposures. Many buyers of crime insurance don’t fully grasp that the scope of most crime insurance is to cover “loss of or damage to … money (usually defined), securities (usually defined) and property other than money and securities, in tangible form.”
Striking a blow against any coverage for cyber-related situations is the fact that nothing about the Internet is tangible.
Increasingly, transactions for many goods and services are conducted online, including money transfers, bill/invoice payments, and even payments for many services such as insurance coverage, for example.
So, basically put, under most crime insurance policies, if an employee steals money (or securities, or tangible property), employee dishonesty insurance should respond subject to limit, deductible amount and other provisions of the insurance. If an employee steals intellectual property (or data, or valuable information), that property is not covered as it is likely not in tangible form (although the CD, copy paper, or flash drive used for transport of the information would be considered tangible).
To be specific, the provision of the crime insurance policy which could conceivably provide some cyber-related coverage could be the “computer fraud” or “funds transfer fraud” insuring clauses and provisions. This insuring clause is certainly optional, but having it in place can prove to be almost a life-saver.
The purpose of the “computer fraud” insuring clause is to replace financial assets of the insured organization following a described form of “outsider access” through a computer or computer system of the insured organization that caused the organization to suffer a financial loss. As an example, if the organization transferred money from its own bank account into the bank account of another party based upon instructions provided to do so from outside the organization (but not authorized by the insured organization), and utilized a computer of the organization (as the receiving instrument for such instructions), the “computer fraud” insuring clause could provide coverage, depending upon the limit and deductible amount on the crime policy in question, the exact circumstances of the loss, and other coverage aspects of the policy.
Thus, having “computer fraud” insurance is an important component to a full, well rounded insurance program, and especially with regard to doing everything possible to insure against the exposures of computer fraud.
There is also some limited underwriter interest in providing a coverage extension for insureds involved in producing/issuing gift cards with respect to the stored value on such cards, when such cards are within the possession of the insured organization. Again, nothing about the Internet is tangible, so having coverage apply to gift card values — as opposed to just the value of the blank gift card — is a major step in the direction of insurance coverage for situations involving gift cards.
Other Elements of Cyber Insurance
Within some insuring organizations, there is overlap among those underwriting technology errors and omissions coverage and cyber exposures, and when that overlap occurs, some technology E&O insurance products can be endorsed to provide elements of cyber liability insurance.
An example would be a technology E&O policy endorsed to specifically address allegations of “unauthorized access,” “breach of privacy/confidentiality,” and even “failure of IT security.” Of course not every technology E&O underwriter would be willing to do this, but it is not especially uncommon. Any or all of these cyber-related exposures can conceivably be included for coverage on technology E&O, and similar insurance products. However, it could prove very difficult to find a “pure” technology E&O insurance product that was extended to reimburse insured organizations for notification costs and related expenses. Many cyber insurance underwriters would consider this to be “first-party” coverage directly benefiting the insured organization, and it is difficult to argue against that position.
It can be generally stated that most E&O (and professional liability) insurance policies do not contemplate significant cyber-related exposures, unless coverage for the exposure is contemplated by the insuring agreements of the policy, or, if specifically added by endorsement. For example, most lawyers professional liability insurance policies don’t contemplate, within the historical context of the insurance provided, coverage for “unauthorized access,” “failure of IT security,” or coverage provided on an “enterprise-wide” basis. However, some E&O/professional liability policies have historically provided coverage for allegations of “breach of privacy/confidentiality.” The same could be said for insurance agents E&O insurance, although recently, some insurers have begun adding some measure of cyber liability insurance coverage to such policies by specific, optional endorsement, and for an additional premium charge.
Combining Cyber Liability With Executive Liability Insurance
Increasingly, major underwriters of the cyber liability exposure are willing to add coverage for certain elements of this exposure, by endorsement to directors and officers liability (D&O) and other executive liability insurance products. This can prove to be very efficient and even cost effective, but care must be taken when this occurs to be certain that:
- The policy aggregate limit is not further extended to include cyber liability claims and expenses. If it is, then consideration should be given to an aggregate limits increase, or having the aggregate limit apply separately to each individual liability coverage line.
- The scope of coverage provided by the cyber endorsement is generally consistent with the scope of coverage in the insurer’s monoline cyber liability coverage form.
- The “one size fits all” approach to adding the coverage is generally consistent with the exposures anticipated by both buyer and seller for the risk at hand. True efficiency necessarily means that there is little room for individual account variation in coverage terms and specifics.
With continued efforts toward consolidation of coverage, and increased “packaging” of various coverage lines, it is inevitable that insurers will attempt to sell cyber insurance in conjunction with other insurance products, such as management liability or related products.
New Developments in Cyber Insurance
As cyber insurance has evolved, the coverage has become more comprehensive and insurers are looking for ways to distinguish products with a variety of bells and whistles.
A basic example is the policy definition of “territory.” At a minimum, the policy territory should be “worldwide” for what should be obvious reasons. But some insurers go even further, such as “universal,” or “anywhere in the universe,” or even “anywhere” although many underwriters clarify that coverage will not apply in places where the United States has trade sanctions.
Other important evolutionary coverage aspects involve the important “Notifications Costs Reimbursement” coverage. Initially, many insurers were willing to reimburse hard costs of notifying affected residents of a state which had passed a notification law only (notification if required by law). But with the passage of time, this requirement has softened for many, but not all insurers, and credit monitoring expense reimbursement has been included by many insurers. Also, some insurers now offer an option for reimbursing for a specified number of notifications, as well as involvement of third-party with notification experience to handle and direct the notification process. Notification also has expanded to include employees, with respect to employer medical/insurance information disclosure, and in accordance with the HI-TECH amendment to the HIPAA legislation.
Another recent coverage development is for “Cloud Failure.” Coverage applies if the insured’s online earnings stream is interrupted by an unannounced or unplanned failure of a cloud service provider relating to the insured’s access to associated cloud computing services. Like Notification Costs Reimbursement, Cloud Failure is considered to be a first-party insurance coverage within the world of cyber insurance.
Village of Coverage
A famous politician one said that it takes a village to properly raise a child. The similar statement for cyber insurance is that to get the best possible coverage for a given exposure, several insurance policies may contain elements of coverage, which when taken with a really solid cyber insurance policy, may result in the best possible cyber insurance coverage.
The best possible insurance for the cyber exposure may involve not only a finely tuned cyber insurance policy, but also the presence of elements of coverage to address various aspects of the exposure in other insurance coverages maintained by the organization.
Clarke, CPCU, CIC, senior vice president at J. Smith Lanier & Co., is the author of two books “Maximizing Coverage/Minimizing Costs” (1993); and “Executive Liability Insurance” (Fifth Edition, 2012), and a specialist in the areas of management liability; errors & omissions liability; cyber liability; crime and ancillary coverages.