Since its inception in 1973, the Commercial General Liability policy has been amended several times, allowing it to modestly adjust to the ever-changing business world. Several of these amendments were introduced to specifically address e-commerce (Malecki, 2005). While some changes added Internet- related coverage, most have dramatically decreased coverage for these types of exposures. Still, some coverage may be afforded in the event of a cyber-related loss.
In 2001, ISO changed the definition of “property damage” by specifically excluding “electronic data” as tangible property (Malecki, 2005). In 2004, however, ISO introduced the Electronic Data Liability endorsement (CG 04 37), which added “electronic data”” back to the definition of property damage in the CGL (Malecki, 2005). The title of the endorsement was a little confusing though, as the endorsement only provided protection when loss or damage to electronic data resulted from physical injury to tangible property. Additionally, in 2004, ISO introduced a new Electronic Data Liability coverage form, which unlike the traditional CGL, was made on a claims-made basis (Malecki, 2005). This form provides more coverage than the endorsement does as it “does not require that the loss of electronic data result from physical injury to tangible property” (Stanovich, 2004). The potential downside to this form is that it excludes businesses that provide computer products or services and also excludes damages resulting from unauthorized use of data (Stanovich, 2004). Furthermore, the form contains nine other exclusions (Malecki, 2005). In today’s business environment, these two endorsements probably won’t provide the kind of electronic data protection companies are looking for.
Coverage B of the CGL covers “Personal and Advertising” injuries. A change was made to this section of the policy in 1986, which added the phrase “any manner” to injuries resulting from slander, libel, and disparagement (Malecki, 2005). The new definition, therefore, added coverage for Internet-related incidents. Eventually, the same phrase was added to injuries resulting from violating another person’s privacy (Malecki, 2005). Conversely, in 2001, Internet-related coverage was greatly restricted by the addition of three exclusions. One of the exclusions prevented insureds in the Media and Internet Type businesses from obtaining coverage (Malecki, 2005). This includes insureds that are in the business of advertising, broadcasting, publishing or telecasting. This definition goes on to say that the placing of frames, borders or links, or advertising, for you or others anywhere on the Internet, is not by itself, considered the business of advertising, broadcasting, publishing or telecasting. This definition is somewhat vague and if anything, seems to provide insurers with some wiggle room when defining these types of businesses.
Moreover, exclusions for Personal and Advertising injuries arising out of Electronic Chatrooms or Bulletin Boards and the Unauthorized Use of Another’s Name or Product were added in 2001 to reduce Internet-related coverage (Malecki, 2005). The former would most likely exclude injuries arising out of social networking sites and blogs as they have “walls” or areas where comments can be posted by employees.
Cyber Risk policies
Cyber-risk policies were first introduced in the mid 90’s and were initially difficult for carriers to underwrite as not much historical data was available. Very few companies reported cyber-related losses back then, providing even less information for insurers to use in the underwriting process. The trend of not reporting cyber-related losses continues today, but has improved thanks to a few advocates who attempt to collect this data. This, in some ways, has allowed cyber coverage to gradually expand over the years.
Unlike the CGL, most cyber policies are written on a claims-made basis. They typically provide one of the most important coverages under the Network Security section. This coverage generally affords basic protection against allegations made by third parties that they were economically harmed by a breach in the insured’s network. Network Security coverage has a variety of triggers, including Unauthorized Access, Unauthorized use, Virus Transmission, Denial of Service Attacks, and Denial of Access. Privacy coverage often extends Network Security coverage to paper files and mobile equipment, such as laptops or smartphones. As mentioned earlier, mobile device use by employees is on the rise, making this coverage very beneficial to certain companies. On the other hand, though, some underwriters are specifically restricting coverage for pda’s. Finally, the Privacy coverage protects against any inadvertent breach of privacy statements that may be on the company’s websites.
Also, cyber-risk policies commonly provide some type of Media and Intellectual Property Liability coverage. This coverage protects against liability issues arising out of personal and advertising injuries from use of company websites. Additionally, coverage may be provided for liability issues arising from maintaining third party intellectual property stored on the insureds networks. A potential downside is that coverage for injuries arising out of use of Blogs, Chatrooms, and Social Networking sites is usually not provided, and therefore must be added if needed. Coverage for domain name disputes can typically be provided in this section as well. It is not unusual to add coverage for media in paper form such as corporate newsletters, brochures etc.
As mentioned earlier, first party expenses can be just as high as the liability expenses associated with a cyber loss. Costs of placing ads and press releases, of preparing and sending required notifications, to hire a public relations firm, and to provide credit monitoring can add up very quickly, costing companies millions of dollars. Thankfully though, coverage is often available for these types of expenses under a Crisis Management Expenses section of the policy. Insureds concerned with these costs, therefore, may find it beneficial to have both their first and third party cyber exposures covered under one specialized policy. Insureds should be aware that pre-approval of these expenses is usually needed before the carrier will pay.
Despite the difficulties cyber-risk policies initially faced, more businesses are including them in their portfolio of risk management tools. According to the 2008 CSI Computer Crime and Security Survey, 34% of respondents now use cyber-risk policies, up from 29% the previous year (see graph below). Although this is a fairly small increase, the use of cyber risk policies will likely continue on a slow but upward trend as new risks emerge and carriers create better, well-rounded policies. As for the CGL, it is evident that it will continue to cover some of the online personal and advertising injuries companies become liable for. This assumes individual underwriting companies have not added special limitations or exclusionary language for Internet risks. Furthermore, since companies typically do not charge for advertising and injury coverage, they typically are not interested in writing accounts with any adverse loss history or potential. Also, it is clear that there are many other risks that companies are exposed to and will become exposed to that the CGL wasn’t intended to cover. In this new age of rapid technological advancements, it will be vital for businesses to promptly identify emerging cyber-risks and to correctly assess them. Only then can a company spot coverage gaps and determine the appropriate risk transfer and/or control techniques to be put into place.
*Data was obtained from the 2004-2008 CSI Computer Crime and Security Surveys