Cyber liability, relative to other coverage lines, is still within its infancy. To put it in perspective, property and product liability insurance rates are based on 50+ years of claims data. For this type of coverage, there is actuarial confidence in projecting what rates should be assessed to meet the probable chances of loss. For example, a fire will always be a fire – and the potential damage from a fire is a risk which can be reasonably calculated and mitigated. In contrast, within the cyber liability space, not only is there a lack of claims data, but there are new emerging exposures every day.
All insurance policies contain exclusions. Exclusions are the nature of almost every legal contract, and insurance is, at its core, a legal contract. When evaluating any new insurance policy it is always critical to fully understand any exclusions. This is especially true when there is not a standardization or “ISO” (Insurance Services Office) component to the policy. ISO is a governing body of insurance contract language. More likely than not, you’ll find “ISO” somewhere within the margin of the page on many of your policy forms. Cyber policies are particularly important to be wary of as they often lack the ISO accreditation indicating language standardization within the contract.
Common Cyber Liability Exclusions to Avoid:
- End-of-Life Software/Outdated Software – Whether it is proprietary software that was created specifically for the business but never updated or simply a server still running on Windows 95, it is important to understand that insurance companies do not want to cover claims they deem to be related to a piece of software which is not receiving regular maintenance and upgrades.
- Unencrypted Mobile Device/Data – Insurance carriers frequently look at data encryption as a “benchmark” of security. Lack of encryption does not, in and of itself, necessarily mean unsecured data. This exclusion should be avoided by all measures; it emphasizes a need for the insurance carrier to better understand an insured’s data system.
- Bodily Injury Exclusion – A cyber liability policy is not meant to include claims for bodily injury and property damage. However, recent litigation related to cyber breaches has seen an emergence of plaintiffs making “mental anguish” claims. Mental Anguish is a typical general liability coverage component, and since general liability policies exclude cyber liability losses, it is imperative that a cyber liability policy does not exclude third party claims for mental anguish as a result of a cyber liability incident.
- Mobile Device Exclusion – Mobiles devices (cell phones, laptops, tablets) are inherently risky since they are considered uncontrolled environments. They can contain confidential data, or have the ability to access secure data networks within a company. Insurance carriers will add this exclusion if mobile devices are not “encrypted.” Encryption is a difficult task for many companies, especially those operating under a “bring your own device” policy. Demonstrating proper controls will help to relieve a company of this exclusion.
- Card Issuer Fines and Penalties Exclusions – To the retail industry, one of the biggest concerns when dealing with a data breach is the potential fines and penalties that could be levied against their organization from the card issuers (VISA, MasterCard, etc.). These fines can easily reach six figures depending on the nature of the breach. Having an exclusion such as this in a cyber policy could result in severe financial impact for an organizaiton.
On the Cutting Edge, Not the Fringe
Lack of ISO accreditation does not mean cyber liability is a “fringe” coverage. It is quite the opposite. Cyber coverage is an important aspect of your organization’s insurance protection plan. However, as a business owner, you should be aware that cyber policies currently lack industry standardization; and knowing this, you need to be able to depend on a brokerage advisor who can discern the level of protection your cyber policy provides.