Skip to Content
Cyber and Privacy Risk and Insurance

Cyber-Liability Insurance Issues for Large Companies

Michael A. Rossi | November 1, 2003

On This Page

How are large firms covering their e-business and cyber-activity risks this summer? Some firms are building the cover into their current policies; others are purchasing the broad-based/multiline policies now available in the market. Watch the defense counsel and insurer selection provisions in these policies and how B2B/B2C versus professional services coverages are handled. Intellectual property infringement is another area of concern—and possible negotiation.

One of the themes of prior articles in this column has been my perception that large companies are insuring their third-party liability risk exposures arising out of e-business or cyber activities by building the cover into existing parts of their insurance program or by buying broad-based/multiline coverages where coverage for e-business and cyber-liability risks is just one of several coverages provided. This article further discusses this perception and also provides some practical pointers for companies that buy one of the broad-based/multiline policies currently available in the market.

Market Status Update, Summer 2003

For the past 2 years, in my experience, the market leaders for selling e-business and cyber-liability insurance to large companies based in the United States continue to be the same (listed in alphabetical order, rather than my perception of market share): ACE, AIG, Beazley, CNA, and Hiscox. Yes, there are other insurers that sell insurance for e-business and cyber-liability risks, such as Chubb, St. Paul, Sacia, Zurich, and others, but, in my experience, the insurers that are quoting most consistently to, and having their products purchased most consistently by, large companies are (listed in order of how often I see them purchased as primary insurer): AIG, ACE, CNA, Beazley, and Hiscox.

What I find most interesting about the policies sold by these insurers is that the coverage they sell is often on a menu-driven platform, or bundled in a multiline policy form. Let me explain. A menu-driven policy typically contains a "common terms and conditions" coverage part, and separate, risk-specific coverage parts that can be purchased or not, depending on what coverage the insured wants to buy. This makes it very easy for an insured to buy and pay for only those coverages it really wants.

In contrast, a bundled, multiline policy includes the coverage for e-business and cyber-liability risk along with other coverages (typically technology errors and omissions, or media liability) in an intertwining way. Doing it that way makes it difficult for the insured to buy only those coverages it wants, without major revisions to the policy form (to excise those coverages that the insured is not purchasing).

And in most instances, the large companies I see buying these insurance products are buying more than only the e-business and cyber-liability risk coverages. They are also buying the technology errors and omissions and/or media liability coverages—two coverages that have been in existence long before the Internet age. And that is why I have been saying in this column for over a year now that it is not, in my view, accurate to say that the market for stand-alone e-business or cyber insurance for third-party liability risk has really taken off, at least for large companies. Rather, the coverage for e-business and cyber-liability risks has just been folded into or combined with one or more coverages that have been in existence for years.

Tips for the Buyer

Putting aside the debate over whether or not one can say that the market for stand-alone e-business or cyber insurance for liability risks for large companies has flourished, the fact of the matter is that, in my experience, a lot of large U.S. companies are buying one of the policies sold by the insurers mentioned. So, in my view, the real question becomes this: What issues should be considered when buying such insurance?

In looking through recent "wish lists" of changes I have requested on forms sold by several of the insurers referenced above, I note that there typically are anywhere between 20 to 30 issues to consider. Some of the issues simply relate to issues that must be addressed in any claims-made policy. Some of the issues relate to issues that must be addressed in any media liability or technology errors and omissions policy. And some of the issues appear to be specific to, if not exclusive to, the e-business and/or cyber-risk coverage provided by the policy.

The space limitations of this article make it impossible to discuss many of the issues referenced above. However, three broad categories of issues are discussed for a high-level view of what one should be thinking when purchasing such insurance.

Defense Coverage and Choice of Counsel Provisions

Some of the policy forms limit the insurer's duty to defend to "suits" as defined, and not as to "claims" (where "suit" is a sub-set of "claim"). This is very similar to a structure used in Insurance Services Office, Inc. (ISO), form commercial general liability (CGL) insurance policies, which has proven unfavorable for insureds. Other of the policy forms, like traditional claims-made policies, extend the duty to defend to all "claims." This latter provision typically is preferred.

In addition to reviewing how the duty to defend works, insureds should also review the policy regarding who has the right to choose counsel who will defend the claim. Many large companies want the right to choose counsel. Many of the insurers selling this insurance can provide choice of counsel provisions that are different than what are in their off-the-shelf forms, and insureds are encouraged to have a frank discussion with the insurer to expressly address such issues (e.g., choice of counsel, hourly rate to be paid, litigation guidelines to be followed, etc.).

I cannot overstate the importance of focusing on these defense and choice of counsel provisions. In my experience, more time is spent on these issues, and these issues most often make or break a deal, than any other issue discussed and negotiated on these types of policies.

B2B/B2C Activities versus Professional Services Coverage

As discussed in a prior article in this column, most of the policies discussed in this article expressly differentiate between coverage for business-to-business/business-to-consumer (B2B/B2C) activities, on the one hand, and for the provision of Internet-related or other services to others, on the other. You need to make sure that if you want coverage for either or both of these risks, you understand exactly how the policy works with respect to these risks.

And note also that there are various exclusions and/or conditions that need to be reviewed very carefully and/or negotiated to minimize gaps in coverage for B2B/B2C activities risk (e.g., electric/mechanical breakdown exclusion; breach of security exclusion; failure to implement patches exclusion or implementation of patches condition; bodily injury/property damage exclusion; employee malicious conduct exclusion; etc.).

Intellectual Property Infringement Coverage

All policies offering e-business and cyber insurance for liability risks that I have ever seen provide some level of intellectual property infringement coverage. However, in the past year, this coverage has continually been narrowed, with many forms deleting coverage for software copyright infringement.

It seems like when these policies first came out years ago, many of the insurers did not focus on the fact that, the way the first such policies were written, their policies insured software copyright infringement claims (at least with respect to computer code used to run all or certain aspects of a website). So, newer forms have been narrowed in important ways, by either expressly excluding coverage for software copyright infringement claims, or dropping the coverage by amending certain definitions.

The key point is that the insured must review the proposed policy forms to understand whether or not, and how, coverage is provided for software copyright infringement. If it's not clear, or is expressly excluded, the insured should raise the issue with the underwriter. Most underwriters selling the policies discussed in this article are willing to insure software copyright infringement risk if they are able to obtain certain underwriting information and/or additional premium.

Concluding Remarks

In sum, U.S.-based companies that want to insure their e-business and cyber-liability risks with express policy provisions geared specifically toward such risks have a fairly nice choice of products and insurers from which to choose. I still would not call the insurance that is being purchased stand-alone e-business liability or cyber-liability insurance. Rather, I would characterize what has happened as an evolution in traditional liability insurance policies that have existed for years to insure media liability and/or technology errors and omissions liability risk. Those traditional policies have evolved to include e-business and cyber-liability risk as one of the risks that are covered by such policies.

But with these new coverages, and new policy forms with these new as well as traditional coverages, comes new challenges. These coverages and policy forms must be reviewed carefully, and negotiated where possible, to better ensure that the coverage ultimately provided by the program purchased is in line with what the insured thought he was buying.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.