This article summarizes the events witnessed in the e-commerce insurance arena
in the past year: where we were, where we are, and where we may be headed. The
trend toward excluding computer virus from commercial property policies and
reliance on stand-alone e-commerce policies are among the topics discussed.
This is part of an ongoing series on e-commerce issues. Other articles
include:
This chart lists examples of stand-alone e-commerce insurance policies. Some
of the listed forms cover both first-party losses and third-party liability
claims. Some of the forms cover only one or the other of these two types of
risks. And with regard to first-party risks, some of the forms cover only the
insured's direct loss, while some also cover the insured's liability to
others for loss (e.g., employee theft, third-party theft). Accordingly, the
description of coverages is for general information only, and the actual
coverage provided by each listed policy is subject to the terms and conditions
of that policy.
With respect to the contact information provided, in most cases it directs
you to a general home page of a website. Since it can be frustrating to try to
obtain information about products from websites, often the quickest way to get
information and/or policy wording is by contacting an insurance broker (who
works in this area) and/or the insurer itself to ask for a copy of the policy
(preferably an electronic copy).
Any insurer listed below that believes that its product has been
characterized incorrectly, please direct comments to Michael Rossi. Any such
incorrect characterization is not intentional and will be corrected if we are
advised of the error. Any insurer who is not listed below that sells
stand-alone e-commerce insurance and who wants to be listed in the chart,
please send contact information and a copy of your policy form to Michael
Rossi, whose address and other biographical information can be accessed by
clicking on his name above. Also see the Insurance Law Group website at
www.inslawgroup.com.
The first several articles in this column focused on
our perceptions of the world of e-commerce insurance issues. What were
policyholders large and small doing? What were insurance brokers doing? What
were insurers doing? We thought it would be helpful to summarize the events
that we have witnessed in the past year. Where were we last year, where are we
now, and where might we be headed?
This article focuses on the experience of large, multinational companies
headquartered in the United States and the United Kingdom, because the
author's e-commerce insurance experience is rooted in those areas. This
article is, therefore, geared toward that segment of policyholders. A future
article will focus more on the experience of smaller companies.
Where We Were Last Year
Last year, after having discussed e-commerce insurance issues with companies
since at least 1997, we saw an explosion in awareness of e-commerce insurance
issues (really after the Y2K phenomenon died down by February 2000). Many
companies came to us with one directive—help us identify potential gaps in our
insurance program with respect to e-commerce risks, and help us close those
gaps by amending our policies. Inherent in that strategy was the following
mindset: we don't want anything to do with stand-alone e-commerce
insurance.
Where We Are Now
What a difference a year makes! It is true that many insurers have amended
traditional policies to fill the
potential gaps in coverage for certain e-commerce risks. However, just as
often we've seen insurers, time and time again, refuse to provide
amendments to expressly address several issues on certain lines of insurance.
And, more importantly, some insurers are excluding coverage on certain lines of
insurance that previously had been provided.
The Good
Amending or buying traditional policies to respond to the plethora of legal
liability issues arising from e-commerce activities has not been that
difficult. Many policyholders can buy or amend traditional commercial general
liability, umbrella liability, media liability, and professional services
liability policies to cover
most of the risks discussed in the prior articles in this column (and to
match most of the legal liability risks covered by stand-alone e-commerce
policies). And, in our experience, kidnap and ransom insurers have been willing
to amend their policies to match the insuring language provided by stand-alone
e-commerce policies for extortion risk.
The Bad
However, while commercial property, crime, and fidelity bond insurers have
been willing to provide some coverage enhancements and clarifications, they do
not seem to be willing to address the following. And, to be clear, let me just
say now that each statement made below is based on my own experience. In other
words, there may be exceptions to the statements set forth below; we just
don't know of any.
Crime and Fidelity Bonds. First, no crime or fidelity bond
insurer has agreed to remove the "potential income" and
"indirect loss" exclusions from their policy forms. As previously
reported, it is important to remove those exclusions to ensure business
interruption and extra expense coverage under such policies, coverages needed
for losses caused by employee theft (as opposed to employee malicious
destruction).
Commercial property policies cover certain types of employee malicious
destruction, but exclude employee theft or employee dishonesty. So if you want
to cover business interruption and extra expense caused by employee theft or
employee dishonesty, you need to add that coverage to your crime policy or
fidelity bond. While it's easy to come up with the policy language to
address the issue, no crime or fidelity bond insurer will add it to their
traditional policy forms.
Second, crime and fidelity bond insurers also have not been receptive to
covering the insured's liability for financial injury caused by the use of
information of others that had been in the insured's care, custody, or
control but that had been stolen. For example, credit card and other sensitive
information about the insured's customers, vendors, suppliers, etc., can be
stolen and used to the financial detriment of such persons. This is different
than covering the insured's liability for the "value" of the
property of others that is stolen.
Again, it is easy enough to add language to the policy to address the issue,
but no crime or fidelity bond insurer will add the language to its traditional
policy forms.
Commercial Property. These insurers are not generally
willing to provide clarification language to expressly recognize coverage for
denial of service attacks. If you ask insurers to add such language, they
usually refuse and point to the "loss of use" exclusion as their way
of carving out the coverage. Our hunch is that this issue will be
litigated.
A variant of the issue is being litigated in the infamous Ingram
Micro case pending in the federal courts in Arizona. But even if
courts agree with policyholders that commercial property policies as currently
worded provide coverage for denial of service attacks and other loss of use or
impairment of use/functionality losses, we believe that all the insurance
industry will do is add a more express exclusion for such losses at
renewals—and where does that leave risk managers?
Also, commercial property insurers are not willing to extend legal liability
coverage to the insured's liability for financial injury caused by the use
of information of others that had been in the insured's care, custody, or
control but that had been stolen. This is the same issue as referenced above
for crime policies and fidelity bonds.
Most standard form commercial property policies cover the insured's
legal liability for the value of property of others in the insured's care,
custody, or control (the coverage is supposed to work hand-in-glove with the
care, custody, or control exclusion in commercial general liability and
umbrella liability insurance). But trying to extend the coverage to insure
legal liability for financial injury caused by another's use of the stolen
information is being met with a consistent "No."
Further, commercial property insurers are not willing to cover certain
losses caused by innocent errors in programming or machine instructions. Most
insurers use an exclusion in their forms to bar certain coverage for such risks
(some will amend the exclusion with an "ensuing loss" or
"resulting loss" exception).
The Ugly
This next item pains me the most. Unfortunately, more and more commercial
property insurers are starting to expressly exclude or severely limit coverage
for losses caused by computer virus. We first read about this issue in trade
journals late last year discussing the reinsurance industry's move to
exclude computer virus in reinsurance policies sold in the United
Kingdom/Europe. That had an effect on direct insurance sold there, with direct
insurers imposing sublimits on the coverage (because they were taking it on
"net" without reinsurance support) or excluding the coverage
altogether (because they were not willing to take it on net).
U.K., European, and Australian readers probably have witnessed this
first-hand, whereas many in the United States probably have not—yet. Our bet is
that, unfortunately, this wave of excluding computer virus from commercial
property policies will hit U.S. shores in the coming months, unless one
insurer, FM Global, takes the lead in staving off this wave.
FM Global taking a "lead" on such issues? Readers might be
wondering whatever happened to the clarification and extension language that FM
Global said it might come out with on its commercial
property and crime policies. We have not seen what FM Global is offering in the
way of any e-commerce clarifications and/or extensions on its crime policies.
(More on that issue later when the information is made available.)
We have, however, seen the e-commerce clarifications and extensions that FM
Global is offering on its commercial property policies. The clarifications are
nothing new, in my experience, and the extensions fall far short of what is
available in the stand-alone e-commerce policy market as far as coverage
wording goes. And FM Global does not appear to be offering anything more than
the stand-alone e-commerce market in the way of capacity (sublimits are placed
on the extensions that are similar to the limits available from the stand-alone
e-commerce insurers).
In our view, such a response is not taking a "lead" on these
issues—it's more like an attempt to try to keep up with the stand-alone
e-commerce pack, although from our vantage point, FM Global's response is a
year or so behind.
That said, one positive thing can be said about FM Global with respect to
its response to e-commerce risk—to date FM Global has not backed down from
confirming coverage for computer virus loss in its policies. This is extremely
important, and apparently no small accomplishment, given what is happening in
the United Kingdom/Europe and elsewhere. Time will tell whether FM Global can
weather this storm and somehow keep its computer virus coverage intact for its
customers.
Our view? Kudos to FM Global on computer virus coverage issues; but
raspberries on other e-commerce insurance issues for its commercial property
policies.
Where We Might Be Headed
In sum, stand-alone e-commerce insurance policies that address the potential
"gaps" discussed appear to be the only viable option for insuring
such risks with express insurance language. We take no solace in making this
statement, but do take seriously the job of trying to objectively report on
what is happening in the world of e-commerce insurance issues. As a result, we
predict that we will see more and more large companies take an interest in
stand-alone e-commerce insurance, especially if they cannot secure computer
virus coverage in their commercial property insurance programs.
Readers should not lose sight of something just as important—some
policyholders are obtaining amendments to traditional policies to clarify or
extend coverage for e-commerce risks. So any e-commerce insurance strategy
should include a two-pronged approach:
- Amend traditional policies and/or add traditional policies where
appropriate, and
- Explore the possibility of obtaining e-commerce insurance to cover
whatever potential "gaps" you have identified in your program but
cannot "close" by amending traditional policies or adding
traditional policies to your program.
Coming in Future Articles
In the next couple of articles for this column, we will address the
following issues.
Is computer data tangible property? We thought this question was
already asked and answered by the courts. Not necessarily. We will explain why,
and what that means for policyholders when trying to address e-commerce
insurance issues at claim time and when implementing an e-commerce insurance
strategy.
Why is buying a stand-alone e-commerce policy so difficult?
There is a unique underwriting "process" that is required, where the
risk management and information technology (IT) departments of companies must
"partner" in a way they have never done before. And the policy forms
are absolutely difficult to understand and compare (and that's coming from
an insurance lawyer who has been reading various types of insurance policies on
a weekly basis for over 10 years!). By gleaning comments from risk managers,
brokers, underwriters, and IT professionals, we will report on what appears to
be working and not working with respect to buying a stand-alone e-commerce
insurance policy.