So far during our chronicles, we've discussed cyber-risk insurance by looking at insurance policies designed specifically to cover this type of risk. However, there are also so-called "silent" or "phantom" covers, i.e. insurance policies that do not clearly exclude cyber-risks, even though they were not designed to cover them. These policies could therefore offer some cyber-risk coverage, often without the own insurer's knowledge!
Many property and commercial liability policies do not carry cyber-risk exclusions, and the same is true of directors’ and officers’ liability policies.
For example, certain claims for an employee privacy breach may be covered under the employment practices and fiduciary liability coverages typically found in directors’ and officers’ liability policies. Multimedia liability insurance policies, as well as the advertising injury liability coverage found on commercial general liability policies, may be available to cover certain risks related to websites for which coverage would also be available under a “cyber-risk” policy. Finally, while most “cyber-risk” policies provide coverage for data recovery costs, some commercial property insurance policies also provide coverage for data recovery costs through an extended Computer Hardware Insurance coverage, provided that the coverage is not limited to specified risks and also includes the risks associated with computer hacking. However, these indemnities are generally subject to low limits.
Over the next few years, it is probable that insurers will attempt to introduce cyber-risk exclusions into their policies that may have the potential to provide “silent” coverage. Several of them are already in the market testing phase. Indeed, it is normal to want to clarify the scope of coverage of an insurance product when another product, with a more specific scope, is offered on the market. The danger, however, is that some insurers could use exclusionary language with such a broad scope that the addition of such an exclusion would create a gap in coverage, i.e. no insurance policy would offer a guarantee. One possible solution would be to have the coverage under the “cyber-risk” policy extended to fill this gap. For example, a contingent bodily injury and property damage endorsement (Contingent BI/PD) added to a cyber-risk policy could fill the coverage gap created by adding a specific cyber-risk exclusion to a commercial liability policy.
Moral of the story? Don’t be fooled by “ghosts”. Rather than expect an insurance policy to provide coverage for certain contingencies, it’s better to have the peace of mind that comes from a product designed to deal with them: a cyber-risk insurance policy. Most insurers who specialize in this area also offer the services of a breach response team, which may well prove to be an invaluable resource in such a situation.
This column concludes the series on cyber-risk and insurance. If you have any questions or would like to receive previous columns, please contact our professional liability department.
To consult this article in .PDF format, click here.