Expert Commentary

E-Commerce Insurance Issues: A Year in Review

This article summarizes the events witnessed in the e-commerce insurance arena in the past year: where we were, where we are, and where we may be headed. The trend toward excluding computer virus from commercial property policies and reliance on stand-alone e-commerce policies are among the topics discussed.


Cyber and Privacy Risk and Insurance
June 2001

This is part of an ongoing series on e-commerce issues. Other articles include:

Stand Alone E-Commerce Market Survey

This chart lists examples of stand-alone e-commerce insurance policies. Some of the listed forms cover both first-party losses and third-party liability claims. Some of the forms cover only one or the other of these two types of risks. And with regard to first-party risks, some of the forms cover only the insured's direct loss, while some also cover the insured's liability to others for loss (e.g., employee theft, third-party theft). Accordingly, the description of coverages is for general information only, and the actual coverage provided by each listed policy is subject to the terms and conditions of that policy.

With respect to the contact information provided, in most cases it directs you to a general home page of a website. Since it can be frustrating to try to obtain information about products from websites, often the quickest way to get information and/or policy wording is by contacting an insurance broker (who works in this area) and/or the insurer itself to ask for a copy of the policy (preferably an electronic copy).

Any insurer listed below that believes that its product has been characterized incorrectly, please direct comments to Michael Rossi. Any such incorrect characterization is not intentional and will be corrected if we are advised of the error. Any insurer who is not listed below that sells stand-alone e-commerce insurance and who wants to be listed in the chart, please send contact information and a copy of your policy form to Michael Rossi, whose address and other biographical information can be accessed by clicking on his name above. Also see the Insurance Law Group website at www.inslawgroup.com.


Insurer, Managing General Agent, or Insurance Broker Policy Name 3rd Pty. Crime Employee Dishonesty BI and EE Extor-
tion
Prof. Svcs. Liab. Media E&O Liab.
Policies Sold in the U.S.
AIG NetAdvantage Pro + Internet Professional Liability Policy No No No No Yes Yes
AIG NetAdvantage Security + Internet and Computer Network Security Policy Yes Yes Yes Yes No Yes
AIG Net Advantage Liability Internet and Professional Security Liability Insurance Partial: for liability arising therefrom Partial: for liability arising therefrom No Yes Yes Yes
AIG ProTech Technology Liability Insurance Policy No No No No Yes Yes
Chubb Cyber Security Yes Yes Yes Yes No No
Chubb Executive Risk Safety'Net Internet Liability Insurance No No No No No Yes
Hiscox Hacker Insurance Yes Yes Yes Yes Yes Yes
Legion Indemnity Company INSUREtrust Electronic Information E&O (EIE&O) Liability Policy Partial: for liability arising therefrom Partial: for liability arising therefrom No No Yes Yes
Lloyd's Computer Information and Data Security Insurance Yes Yes Yes Yes Yes Yes
Lloyd's
(WISP)
Website Crime & Intranet Insurance Yes Yes Yes Yes No No
Lloyd's
(Besso)
Technology, Media and Professional Liability Insurance No No No No Yes Yes
Lloyd's
(JLT Risk Solutions)
E-Comprehensive Yes Yes Yes Yes Yes Yes
Marsh NetSecure Yes Yes Yes Yes Yes Yes
Media/Professional Liability (Gulf) CyberLiability Plus Insurance Policy No No No No Yes Yes
Royal Surplus Lines Computer, Telecommunications and Internet Services Liability Coverage No No No No Yes Yes
St. Paul Technology Premier Computer Network Security Protection (Networker) Yes Yes Yes Yes No No
St. Paul Cybertech+ Liability No No No No Yes Yes
Tamarack
(Great American)
Dot.Com Errors and Omissions Liability Insurance Policy No No No No Yes Yes
Zurich North American Financial Enterprises E-Risk Protection Policy Yes Yes Yes Yes No Yes
Policies Sold in Europe
ACE Europe DataGuard Yes Yes Can be added Yes No No
Hiscox Hacker Insurance Yes Yes Yes Yes Yes Yes
Lloyd's
(JLT Risk Solutions)
E-Comprehensive Yes Yes Yes Yes Yes Yes
Marsh NetSecure Yes Yes Yes Yes Yes Yes
Park Insurance Services Internet Insurance No No No No Yes Yes
Zurich North American Financial Enterprises E-Risk Protection Policy Yes Yes Yes Yes No Yes
Policies Sold in Australia
Marsh NetSecure Yes Yes Yes Yes Yes Yes
St. Paul Technology Premier Computer Network Security Protection (Networker) Yes Yes Yes Yes No No
St. Paul Cybertech+ Liability No No No No Yes Yes

The first several articles in this column focused on our perceptions of the world of e-commerce insurance issues. What were policyholders large and small doing? What were insurance brokers doing? What were insurers doing? We thought it would be helpful to summarize the events that we have witnessed in the past year. Where were we last year, where are we now, and where might we be headed?

This article focuses on the experience of large, multinational companies headquartered in the United States and the United Kingdom, because the author's e-commerce insurance experience is rooted in those areas. This article is, therefore, geared toward that segment of policyholders. A future article will focus more on the experience of smaller companies.

Where We Were Last Year

Last year, after having discussed e-commerce insurance issues with companies since at least 1997, we saw an explosion in awareness of e-commerce insurance issues (really after the Y2K phenomenon died down by February 2000). Many companies came to us with one directive—help us identify potential gaps in our insurance program with respect to e-commerce risks, and help us close those gaps by amending our policies. Inherent in that strategy was the following mindset: we don't want anything to do with stand-alone e-commerce insurance.

Where We Are Now

What a difference a year makes! It is true that many insurers have amended traditional policies to fill the potential gaps in coverage for certain e-commerce risks. However, just as often we've seen insurers, time and time again, refuse to provide amendments to expressly address several issues on certain lines of insurance. And, more importantly, some insurers are excluding coverage on certain lines of insurance that previously had been provided.

The Good

Amending or buying traditional policies to respond to the plethora of legal liability issues arising from e-commerce activities has not been that difficult. Many policyholders can buy or amend traditional commercial general liability, umbrella liability, media liability, and professional services liability policies to cover most of the risks discussed in the prior articles in this column (and to match most of the legal liability risks covered by stand-alone e-commerce policies). And, in our experience, kidnap and ransom insurers have been willing to amend their policies to match the insuring language provided by stand-alone e-commerce policies for extortion risk.

The Bad

However, while commercial property, crime, and fidelity bond insurers have been willing to provide some coverage enhancements and clarifications, they do not seem to be willing to address the following. And, to be clear, let me just say now that each statement made below is based on my own experience. In other words, there may be exceptions to the statements set forth below; we just don't know of any.

Crime and Fidelity Bonds. First, no crime or fidelity bond insurer has agreed to remove the "potential income" and "indirect loss" exclusions from their policy forms. As previously reported, it is important to remove those exclusions to ensure business interruption and extra expense coverage under such policies, coverages needed for losses caused by employee theft (as opposed to employee malicious destruction).

Commercial property policies cover certain types of employee malicious destruction, but exclude employee theft or employee dishonesty. So if you want to cover business interruption and extra expense caused by employee theft or employee dishonesty, you need to add that coverage to your crime policy or fidelity bond. While it's easy to come up with the policy language to address the issue, no crime or fidelity bond insurer will add it to their traditional policy forms.

Second, crime and fidelity bond insurers also have not been receptive to covering the insured's liability for financial injury caused by the use of information of others that had been in the insured's care, custody, or control but that had been stolen. For example, credit card and other sensitive information about the insured's customers, vendors, suppliers, etc., can be stolen and used to the financial detriment of such persons. This is different than covering the insured's liability for the "value" of the property of others that is stolen.

Again, it is easy enough to add language to the policy to address the issue, but no crime or fidelity bond insurer will add the language to its traditional policy forms.

Commercial Property. These insurers are not generally willing to provide clarification language to expressly recognize coverage for denial of service attacks. If you ask insurers to add such language, they usually refuse and point to the "loss of use" exclusion as their way of carving out the coverage. Our hunch is that this issue will be litigated.

A variant of the issue is being litigated in the infamous Ingram Micro case pending in the federal courts in Arizona. But even if courts agree with policyholders that commercial property policies as currently worded provide coverage for denial of service attacks and other loss of use or impairment of use/functionality losses, we believe that all the insurance industry will do is add a more express exclusion for such losses at renewals—and where does that leave risk managers?

Also, commercial property insurers are not willing to extend legal liability coverage to the insured's liability for financial injury caused by the use of information of others that had been in the insured's care, custody, or control but that had been stolen. This is the same issue as referenced above for crime policies and fidelity bonds.

Most standard form commercial property policies cover the insured's legal liability for the value of property of others in the insured's care, custody, or control (the coverage is supposed to work hand-in-glove with the care, custody, or control exclusion in commercial general liability and umbrella liability insurance). But trying to extend the coverage to insure legal liability for financial injury caused by another's use of the stolen information is being met with a consistent "No."

Further, commercial property insurers are not willing to cover certain losses caused by innocent errors in programming or machine instructions. Most insurers use an exclusion in their forms to bar certain coverage for such risks (some will amend the exclusion with an "ensuing loss" or "resulting loss" exception).

The Ugly

This next item pains me the most. Unfortunately, more and more commercial property insurers are starting to expressly exclude or severely limit coverage for losses caused by computer virus. We first read about this issue in trade journals late last year discussing the reinsurance industry's move to exclude computer virus in reinsurance policies sold in the United Kingdom/Europe. That had an effect on direct insurance sold there, with direct insurers imposing sublimits on the coverage (because they were taking it on "net" without reinsurance support) or excluding the coverage altogether (because they were not willing to take it on net).

U.K., European, and Australian readers probably have witnessed this first-hand, whereas many in the United States probably have not—yet. Our bet is that, unfortunately, this wave of excluding computer virus from commercial property policies will hit U.S. shores in the coming months, unless one insurer, FM Global, takes the lead in staving off this wave.

FM Global taking a "lead" on such issues? Readers might be wondering whatever happened to the clarification and extension language that FM Global said it might come out with on its commercial property and crime policies. We have not seen what FM Global is offering in the way of any e-commerce clarifications and/or extensions on its crime policies. (More on that issue later when the information is made available.)

We have, however, seen the e-commerce clarifications and extensions that FM Global is offering on its commercial property policies. The clarifications are nothing new, in my experience, and the extensions fall far short of what is available in the stand-alone e-commerce policy market as far as coverage wording goes. And FM Global does not appear to be offering anything more than the stand-alone e-commerce market in the way of capacity (sublimits are placed on the extensions that are similar to the limits available from the stand-alone e-commerce insurers).

In our view, such a response is not taking a "lead" on these issues—it's more like an attempt to try to keep up with the stand-alone e-commerce pack, although from our vantage point, FM Global's response is a year or so behind.

That said, one positive thing can be said about FM Global with respect to its response to e-commerce risk—to date FM Global has not backed down from confirming coverage for computer virus loss in its policies. This is extremely important, and apparently no small accomplishment, given what is happening in the United Kingdom/Europe and elsewhere. Time will tell whether FM Global can weather this storm and somehow keep its computer virus coverage intact for its customers.

Our view? Kudos to FM Global on computer virus coverage issues; but raspberries on other e-commerce insurance issues for its commercial property policies.

Where We Might Be Headed

In sum, stand-alone e-commerce insurance policies that address the potential "gaps" discussed appear to be the only viable option for insuring such risks with express insurance language. We take no solace in making this statement, but do take seriously the job of trying to objectively report on what is happening in the world of e-commerce insurance issues. As a result, we predict that we will see more and more large companies take an interest in stand-alone e-commerce insurance, especially if they cannot secure computer virus coverage in their commercial property insurance programs.

Readers should not lose sight of something just as important—some policyholders are obtaining amendments to traditional policies to clarify or extend coverage for e-commerce risks. So any e-commerce insurance strategy should include a two-pronged approach:

  1. Amend traditional policies and/or add traditional policies where appropriate, and
  2. Explore the possibility of obtaining e-commerce insurance to cover whatever potential "gaps" you have identified in your program but cannot "close" by amending traditional policies or adding traditional policies to your program.

Coming in Future Articles

In the next couple of articles for this column, we will address the following issues.

Is computer data tangible property? We thought this question was already asked and answered by the courts. Not necessarily. We will explain why, and what that means for policyholders when trying to address e-commerce insurance issues at claim time and when implementing an e-commerce insurance strategy.

Why is buying a stand-alone e-commerce policy so difficult? There is a unique underwriting "process" that is required, where the risk management and information technology (IT) departments of companies must "partner" in a way they have never done before. And the policy forms are absolutely difficult to understand and compare (and that's coming from an insurance lawyer who has been reading various types of insurance policies on a weekly basis for over 10 years!). By gleaning comments from risk managers, brokers, underwriters, and IT professionals, we will report on what appears to be working and not working with respect to buying a stand-alone e-commerce insurance policy.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More