Cyber Liability Insurance Issues for Large Companies:
Market Status Update for Summer of 2003 and Tips for the Buyer
November 2003
How are large firms covering their e-business
and cyber activity risks this summer? Some firms are building the cover into
their current policies; others are purchasing the broad-based/multiline policies
now available in the market. Watch the defense counsel and insurer selection
provisions in these policies and how B2B/B2C versus professional services coverages
are handled. Intellectual property infringement is another area of concern—and
possible negotiation.
by Michael
A. Rossi
Insurance Law
Group, Inc.
One of the themes of prior articles in
this column has been my perception that large companies are insuring their third-party
liability risk exposures arising out of e-business or cyber activities by building
the cover into existing parts of their insurance program or by buying broad-based/multiline
coverages where coverage for e-business and cyber liability risks is just one
of several coverages provided. This article further discusses this perception
and also provides some practical pointers for companies that buy one of the
broad-based/multiline policies currently available in the market.
Market Status Update, Summer 2003
For the past 2 years, in my experience, the market leaders for selling e-business
and cyber liability insurance to large companies based in the United States
continue to be the same (listed in alphabetical order, rather than my perception
of market share): ACE, AIG, Beazley, CNA, and Hiscox. Yes, there are other insurers
that sell insurance for e-business and cyber liability risks, such as Chubb,
St. Paul, Sacia, Zurich, and others, but, in my experience, the insurers that
are quoting most consistently to, and having their products purchased most consistently
by, large companies are (listed in order of how often I see them purchased as
primary carrier): AIG, ACE, CNA, Beazley, and Hiscox.
What I find most interesting about the policies sold by these insurers is
that the coverage they sell is often on a menu-driven platform, or bundled in
a multiline policy form. Let me explain. A menu-driven policy typically contains
a “common terms and conditions” coverage part, and separate, risk-specific coverage
parts that can be purchased or not, depending on what coverage the insured wants
to buy. This makes it very easy for an insured to buy and pay for only those
coverages it really wants.
In contrast, a bundled, multiline policy includes the coverage for e-business
and cyber liability risk along with other coverages (typically technology errors
and omissions, or media liability) in an intertwining way. Doing it that way
makes it difficult for the insured to buy only those coverages it wants, without
major revisions to the policy form (to excise those coverages that the insured
is not purchasing).
And in most instances, the large companies I see buying these insurance products
are buying more than only the e-business and cyber liability risk coverages.
They are also buying the technology errors and omissions and/or media liability
coverages—two coverages that have been in existence long before the Internet
age. And that is why I have been saying in this column for over a year now that
it is not, in my view, accurate to say that the market for stand-alone e-business
or cyber insurance for third-party liability risk has really taken off, at least
for large companies. Rather, the coverage for e-business and cyber liability
risks has just been folded into or combined with one or more coverages that
have been in existence for years.
Tips for the Buyer
Putting aside the debate over whether or not one can say that the market
for stand-alone e-business or cyber insurance for liability risks for large
companies has flourished, the fact of the matter is that, in my experience,
a lot of large U.S. companies are buying one of the policies sold by the insurers
mentioned above. So, in my view, the real question becomes this: What issues
should be considered when buying such insurance?
In looking through recent “wish lists” of changes I have requested on forms
sold by several of the insurers referenced above, I note that there typically
are anywhere between 20 to 30 issues to consider. Some of the issues simply
relate to issues that must be addressed in any claims-made policy. Some of the
issues relate to issues that must be addressed in any media liability or technology
errors and omissions policy. And some of the issues appear to be specific to,
if not exclusive to, the e-business and/or cyber risk coverage provided by the
policy.
The space limitations of this article make it impossible to discuss many
of the issues referenced above. However, three broad categories of issues are
discussed below for a high-level view of what one should be thinking when purchasing
such insurance.
Defense Coverage and Choice of Counsel Provisions
Some of the policy forms limit the insurer’s duty to defend to “suits” as
defined, and not as to “claims” (where “suit” is a sub-set of “claim”). This
is very similar to a structure used in Insurance Services Office, Inc. (ISO),
form commercial general liability (CGL) insurance policies, which has proven
unfavorable for insureds. Other of the policy forms, like traditional claims-made
policies, extend the duty to defend to all “claims.” This latter provision typically
is preferred.
In addition to reviewing how the duty to defend works, insureds should also
review the policy regarding who has the right to choose counsel who will defend
the claim. Many large companies want the right to choose counsel. Many of the
insurers selling this insurance can provide choice of counsel provisions that
are different than what are in their off-the-shelf forms, and insureds are encouraged
to have a frank discussion with the insurer to expressly address such issues
(e.g., choice of counsel, hourly rate to be paid, litigation guidelines to be
followed, etc.).
I cannot overstate the importance of focusing on these defense and choice
of counsel provisions. In my experience, more time is spent on these issues,
and these issues most often make or break a deal, than any other issue discussed
and negotiated on these types of policies.
B2B/B2C Activities versus Professional Services Coverage
As discussed in a prior article in this
column, most of the policies discussed in this article expressly differentiate
between coverage for business-to-business/business-to-consumer (B2B/B2C) activities,
on the one hand, and for the provision of Internet-related or other services
to others, on the other. You need to make sure that if you want coverage for
either or both of these risks, you understand exactly how the policy works with
respect to these risks.
And note also that there are various exclusions and/or conditions that need
to be reviewed very carefully and/or negotiated to minimize gaps in coverage
for B2B/B2C activities risk (e.g., electric/mechanical breakdown exclusion;
breach of security exclusion; failure to implement patches exclusion or implementation
of patches condition; bodily injury/property damage exclusion; employee malicious
conduct exclusion; etc.).
Intellectual Property Infringement Coverage
All policies offering e-business and cyber insurance for liability risks
that I have ever seen provide some level of intellectual property infringement
coverage. However, in the past year, this coverage has continually been narrowed,
with many forms deleting coverage for software copyright infringement.
It seems like when these policies first came out years ago, many of the insurers
did not focus on the fact that, the way the first such policies were written,
their policies insured software copyright infringement claims (at least with
respect to computer code used to run all or certain aspects of a Web site).
So, newer forms have been narrowed in important ways, by either expressly excluding
coverage for software copyright infringement claims, or dropping the coverage
by amending certain definitions.
The key point is that the insured must review the proposed policy forms to
understand whether or not, and how, coverage is provided for software copyright
infringement. If it’s not clear, or is expressly excluded, the insured should
raise the issue with the underwriter. Most underwriters selling the policies
discussed in this article are willing to insure software copyright infringement
risk if they are able to obtain certain underwriting information and/or additional
premium.
Concluding Remarks
In sum, U.S.-based companies that want to insure their e-business and cyber
liability risks with express policy provisions geared specifically toward such
risks have a fairly nice choice of products and insurers from which to choose.
I still would not call the insurance that is being purchased stand-alone e-business
liability or cyber liability insurance. Rather, I would characterize what has
happened as an evolution in traditional liability insurance policies that have
existed for years to insure media liability and/or technology errors and omissions
liability risk. Those traditional policies have evolved to include e-business
and cyber liability risk as one of the risks that are covered by such policies.
But with these new coverages, and new policy forms with these new as well
as traditional coverages, comes new challenges. These coverages and policy forms
must be reviewed carefully, and negotiated where possible, to better ensure
that the coverage ultimately provided by the program purchased is in line with
what the insured thought he was buying.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author’s employer or IRMI. This article does not purport
to provide legal, accounting, or other professional advice or opinion. If such advice
is needed, consult with your attorney, accountant, or other qualified adviser.