E-Commerce Insurance Issues: A Year in Review
June 2001
This article summarizes the events witnessed
in the e-commerce insurance arena in the past year: where we were, where we
are, and where we may be headed. The trend toward excluding computer virus from
commercial property policies and reliance on stand-alone e-commerce policies
are among the topics discussed.
by Michael
A. Rossi
Insurance Law
Group, Inc.
This is part of an ongoing series on e-commerce issues. Other articles include:
Also, refer to the
Stand
Alone E-Commerce Market Survey for a chart listing the different stand-alone
e-commerce insurance policies currently known to the author. This chart will
be updated on a regular basis.
The first several articles in this column focused on our perceptions of the
world of e-commerce insurance issues. What were policyholders large and small
doing? What were insurance brokers doing? What were insurers doing? We thought
it would be helpful to summarize the events that we have witnessed in the past
year. Where were we last year, where are we now, and where might we be headed?
This article focuses on the experience of large, multinational companies
headquartered in the United States and the United Kingdom, because the author's
e-commerce insurance experience is rooted in those areas. This article is, therefore,
geared toward that segment of policyholders. A future article will focus more
on the experience of smaller companies.
Where We Were Last Year
Last year, after having discussed e-commerce insurance issues with companies
since at least 1997, we saw an explosion in awareness of e-commerce insurance
issues (really after the Y2K phenomenon died down by February 2000). Many companies
came to us with one directive—help us identify potential gaps in our insurance
program with respect to e-commerce risks, and help us close those gaps by amending
our policies. Inherent in that strategy was the following mindset: we don't
want anything to do with stand-alone e-commerce insurance.
Where We Are Now
What a difference a year makes! It is true that many insurers have amended
traditional policies to fill the potential gaps in coverage for certain e-commerce
risks, as identified and discussed in the previous articles in this column.
However, just as often we've seen insurers, time and time again, refuse to provide
amendments to expressly address several issues on certain lines of insurance.
And, more importantly, some insurers are excluding coverage on certain lines
of insurance that previously had been provided.
The Good
Amending or buying traditional policies to respond to the plethora of legal
liability issues arising from e-commerce activities has not been that difficult.
Many policyholders can buy or amend traditional commercial general liability,
umbrella liability, media liability, and professional services liability policies
to cover most of the risks discussed in the prior articles in this column (and
to match most of the legal liability risks covered by stand-alone e-commerce
policies). And, in our experience, kidnap and ransom insurers have been willing
to amend their policies to match the insuring language provided by stand-alone
e-commerce policies for extortion risk.
The Bad
However, while commercial property, crime, and fidelity bond insurers have
been willing to provide some coverage enhancements and clarifications, they
do not seem to be willing to address the following. And, to be clear, let me
just say now that each statement made below is based on my own experience. In
other words, there may be exceptions to the statements set forth below; we just
don't know of any.
Crime and Fidelity Bonds. First, no crime or
fidelity bond insurer has agreed to remove the "potential income" and "indirect
loss" exclusions from their policy forms. As previously reported, it is important
to remove those exclusions to ensure business interruption and extra expense
coverage under such policies, coverages needed for losses caused by employee
theft (as opposed to employee malicious destruction).
Commercial property policies cover certain types of employee malicious destruction,
but exclude employee theft or employee dishonesty. So if you want to cover business
interruption and extra expense caused by employee theft or employee dishonesty,
you need to add that coverage to your crime policy or fidelity bond. While it's
easy to come up with the policy language to address the issue, no crime or fidelity
bond insurer will add it to their traditional policy forms.
Second, crime and fidelity bond insurers also have not been receptive to
covering the insured's liability for financial injury caused by the use of information
of others that had been in the insured's care, custody, or control but that
had been stolen. For example, credit card and other sensitive information about
the insured's customers, vendors, suppliers, etc., can be stolen and used to
the financial detriment of such persons. This is different than covering the
insured's liability for the "value" of the property of others that is stolen.
Again, it is easy enough to add language to the policy to address the issue,
but no crime or fidelity bond insurer will add the language to its traditional
policy forms.
Commercial Property. These insurers are not
generally willing to provide clarification language to expressly recognize coverage
for denial of service attacks. If you ask insurers to add such language, they
usually refuse and point to the "loss of use" exclusion as their way of carving
out the coverage. Our hunch is that this issue will be litigated.
A variant of the issue is being litigated in the infamous
Ingram Micro
case pending in the federal courts in Arizona. But even if courts agree with
policyholders that commercial property policies as currently worded provide
coverage for denial of service attacks and other loss of use or impairment of
use/functionality losses, we believe that all the insurance industry will do
is add a more express exclusion for such losses at renewals—and where does that
leave risk managers?
Also, commercial property insurers are not willing to extend legal liability
coverage to the insured's liability for financial injury caused by the use of
information of others that had been in the insured's care, custody, or control
but that had been stolen. This is the same issue as referenced above for crime
policies and fidelity bonds.
Most standard form commercial property policies cover the insured's legal
liability for the value of property of others in the insured's care, custody,
or control (the coverage is supposed to work hand-in-glove with the care, custody,
or control exclusion in commercial general liability and umbrella liability
insurance). But trying to extend the coverage to insure legal liability for
financial injury caused by another's use of the stolen information is being
met with a consistent "No."
Further, commercial property insurers are not willing to cover certain losses
caused by innocent errors in programming or machine instructions. Most insurers
use an exclusion in their forms to bar certain coverage for such risks (some
will amend the exclusion with an "ensuing loss" or "resulting loss" exception).
The Ugly
This next item pains me the most. Unfortunately, more and more commercial
property insurers are starting to expressly exclude or severely limit coverage
for losses caused by computer virus. We first read about this issue in trade
journals late last year discussing the reinsurance industry's move to exclude
computer virus in reinsurance policies sold in the United Kingdom/Europe. That
had an effect on direct insurance sold there, with direct insurers imposing
sublimits on the coverage (because they were taking it on "net" without reinsurance
support) or excluding the coverage altogether (because they were not willing
to take it on net).
U.K., European, and Australian readers probably have witnessed this first-hand,
whereas many in the United States probably have not—yet. Our bet is that, unfortunately,
this wave of excluding computer virus from commercial property policies will
hit U.S. shores in the coming months, unless one insurer, FM Global, takes the
lead in staving off this wave.
FM Global taking a "lead" on such issues? Readers might be wondering whatever
happened to the clarification and extension language that FM Global said it
might come out with on its commercial
property and crime policies. We have not seen what FM Global is offering in
the way of any e-commerce clarifications and/or extensions on its crime policies.
(More on that issue later when the information is made available.)
We have, however, seen the e-commerce clarifications and extensions that
FM Global is offering on its commercial property policies. The clarifications
are nothing new, in my experience, and the extensions fall far short of what
is available in the stand-alone e-commerce policy market as far as coverage
wording goes. And FM Global does not appear to be offering anything more than
the stand-alone e-commerce market in the way of capacity (sublimits are placed
on the extensions that are similar to the limits available from the stand-alone
e-commerce insurers).
In our view, such a response is not taking a "lead" on these issues—it's
more like an attempt to try to keep up with the stand-alone e-commerce pack,
although from our vantage point, FM Global's response is a year or so behind.
That said, one positive thing can be said about FM Global with respect to
its response to e-commerce risk—to date FM Global has not backed down from confirming
coverage for computer virus loss in its policies. This is extremely important,
and apparently no small accomplishment, given what is happening in the United
Kingdom/Europe and elsewhere. Time will tell whether FM Global can weather this
storm and somehow keep its computer virus coverage intact for its customers.
Our view? Kudos to FM Global on computer virus coverage issues; but raspberries
on other e-commerce insurance issues for its commercial property policies.
Where We Might Be Headed
In sum, stand-alone e-commerce insurance policies that address the potential
"gaps" discussed above appear to be the only viable option for insuring such
risks with express insurance language. We take no solace in making this statement,
but do take seriously the job of trying to objectively report on what is happening
in the world of e-commerce insurance issues. As a result, we predict that we
will see more and more large companies take an interest in stand-alone e-commerce
insurance, especially if they cannot secure computer virus coverage in their
commercial property insurance programs.
Readers should not lose sight of something just as important—some policyholders
are obtaining amendments to traditional policies to clarify or extend coverage
for e-commerce risks. So any e-commerce insurance strategy should include a
two-pronged approach:
- Amend traditional policies and/or add traditional policies where appropriate,
and
- Explore the possibility of obtaining e-commerce insurance to cover whatever
potential "gaps" you have identified in your program but cannot "close"
by amending traditional policies or adding traditional policies to your
program.
Coming in Future Articles
In the next couple of articles for this column, we will address the following
issues.
Is computer data tangible property? We thought
this question was already asked and answered by the courts. Not necessarily.
We will explain why, and what that means for policyholders when trying to address
e-commerce insurance issues at claim time and when implementing an e-commerce
insurance strategy.
Why is buying a stand-alone e-commerce policy so difficult?
There is a unique underwriting "process" that is required, where the risk management
and information technology (IT) departments of companies must "partner" in a
way they have never done before. And the policy forms are absolutely difficult
to understand and compare (and that's coming from an insurance lawyer who has
been reading various types of insurance policies on a weekly basis for over
10 years!). By gleaning comments from risk managers, brokers, underwriters,
and IT professionals, we will report on what appears to be working and not working
with respect to buying a stand-alone e-commerce insurance policy.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.