Examine the gaps in traditional insurance policies with respect to first-party
e-commerce risks and learn some ways to close those gaps in the second article
of our Cyber Insurance series.
The first article in this series provided a general overview of how policyholders,
insurance brokers, and insurers are responding to the increased awareness of
e-commerce risks. This article examines one aspect of the insurance program
issues relating to this subject. Namely, what are the gaps in traditional
insurance policies with respect to first-party e-commerce risks, and what can
policyholders do to cover those gaps? The last article discusses
insurance issues for "third-party" liability risks associated with
e-commerce activities.
First-Party Risks
"First-party risks" are the risks generally covered by commercial
property policies, commercial crime policies, fidelity bonds, and kidnap and
ransom policies. It is true that these types of policies can also provide
liability coverage in the context of such first-party losses, when a third
party seeks to impose liability on the insured for a loss that is recognized as
a first-party loss under the policy. However, the focus of the discussion here
is on the first-party loss itself.
Commercial Property Policy Issues
With respect to commercial property policies, one gap relating to e-commerce
risks comes in the form of the requirement in most all-risk policies that there
be "physical loss or damage" to property to trigger both the property
damage and time element (e.g., business interruption and extra expense)
coverages of the policy. Some e-commerce risks involve "nonphysical
events," where it is not clear that "physical loss or damage" to
property has occurred.
Denial of Service Attacks. The most frequently referenced
example of a "nonphysical event" e-commerce loss is a denial of
service attack, where an insured's website is bombarded with millions of
e-mails from a bogus source, thereby blocking access to the site by legitimate
users. (Technically, the computer server hosting the website is what has been
attacked. So, whenever "website" is mentioned in this article, it is
actually the computer server hosting the website that is being referred
to.)
A well-publicized spat of denial of access attacks occurred in February of
this year, to web-based companies such as e-Bay and others. Does such an event
constitute "physical loss or damage" to any property? Insurers say,
"No." Courts most likely will side with the insurance industry on
this issue. If so, such a loss probably will not trigger either property damage
coverage or time element coverage in a traditional commercial property
policy.
Indemnity Period Provisions. Another gap occurs via the
"indemnity period" provisions of a commercial property policy. These
provisions are "key" for the time element coverage provided by such a
policy, because they determine the time period from inception of a loss for
which the insured gets to claim coverage for lost income, extra expenses, and
other time element losses. However, the indemnity period provisions in standard
commercial property policies are not well suited for all e-commerce risks, even
if the e-commerce event at issue triggers coverage in the first instance (i.e.,
triggers the "physical loss or damage" requirement).
For example, some traditional policies provide that the indemnity period
relating to losses involving computer data, software, programs, etc. (typically
those items of property falling within the definition of "electronic data
processing media" covered by the policy), is the time it takes to copy
lost or destroyed media from backup tapes or the previous generation of such
media. If that time period is minimal (e.g., a few hours or so), that time
period might not encompass the full period for which the insured sustained time
element losses.
It is true that some traditional policies provide broader indemnity period
provisions for electronic data processing (EDP) media, such as the time it
takes to replace or restore lost or damaged media, including research and
engineering costs. However, what if the loss at issue does not involve lost or
destroyed computer data, programs, software, etc., but rather simply involves
the rendering of a website or computer system useless for a period of time to
eradicate a computer virus or respond to other problems that do not involve the
actual destruction or corruption of computer data, software, or programs?
Computer Viruses. In addition to denial of service attacks,
this issue might also arise with certain types of computer viruses, such as the
recent "I Love You" virus. Early reports show that that virus did,
indeed, cause damage to computer data, software, and/or programs. However, it
also appears that in most if not all cases, that damage was not to critical
operating systems, and insureds shut down their computer systems to prevent the
spread of the virus.
In other words, viruses like the "I Love You" virus appear to be
conceptually different than viruses that cause a system or website to go down
because they delete, destroy, or otherwise corrupt data, software, or programs
that are essential to running the system or website. The system or website is
thereby rendered inoperable unless and until the lost, damaged, or corrupted
data is restored or replaced.
In brief, with respect to the "I Love You" virus and similar
viruses in the future, insurers whose policies are worded correctly likely will
recognize coverage for the cost to replace or restore any data, software, or
programs lost or damaged because of the virus. However, we have a hunch that
most insurers will not recognize coverage for time element losses related to
such viruses. They will argue that time element losses did not flow directly
from the lost or damaged data, software, or programs; rather, they flowed from
the voluntary shutdown of the insured's computer system.
Although insureds have arguments to rebut such a position and to argue
otherwise for coverage of their loss, until such coverage issues are resolved
by the courts, sound risk management should treat it as an issue that needs to
be expressly addressed in an insurance program, if for nothing more than to
confirm that the insurer's intent conforms with the insured's
expectations of coverage.
Employee Dishonesty. Another risk with respect to
commercial property policies deals with employee dishonesty. Most commercial
property policies contain an exclusion for loss caused by employee theft. Some
policies even exclude loss caused by employee malicious destruction. Even with
this latter provision removed, the policy still will exclude loss caused by
employee theft.
Insureds may not think that is a problem, because employee theft losses are
covered by commercial crime policies and fidelity bonds. However, such policies
and bonds contain a time element loss exclusion. This means that
while the property loss might be covered, the time element losses are
not.
Commercial Crime Policy and Fidelity Bond Issues
Standard commercial crime policies and fidelity bonds contain a time element
exclusion. The exclusion bars coverage for business interruption, extra
expense, etc. The exclusion does not use such words, but that is how courts
have interpreted it. The exclusion typically is labeled the "potential
income" or "indirect loss" exclusion, or some other similar
name.
So, if your e-commerce loss is an employee theft loss, the big surprise is
this: It will not be covered under your commercial property policy because of
the employee theft exclusion. Therefore, you must look to your commercial crime
policy or fidelity bond. But that policy does not cover time element losses.
Can you say "gap" in coverage? This important coverage gap with
respect to e-commerce risks and commercial crime policies and fidelity bonds is
big enough to drive a truck through.
Another gap for e-commerce risks has to deal with valuation issues for
stolen computer data, software, or programs. Whereas standard commercial
property policies that have been slightly amended contain detailed valuation
provisions for lost or damaged data, software, or programs, standard commercial
crime policies and fidelity bonds do not. Such policies typically provide
coverage for the lesser of the actual cash value of the stolen property or
replacement cost. It is not clear how much, if any, coverage will be provided
for stolen EDP media under such valuation provisions.
Kidnap and Ransom (K&R) Policy Issues
E-commerce activities invite extortion risks. Consider the following
scenarios.
- A computer hacker demands money or something else of value from an
insured under threat of unleashing a denial of service attack against the
insured's computer system or website.
- A computer hacker threatens to attack an insured's computer system or
website with a virus that will delete, destroy, or otherwise corrupt the key
operating data, software, or programs necessary to operate such system or
website.
- A computer hacker threatens to hack into the insured's computer
system and delete important information, perhaps not information necessary to
run key operations, but important information nonetheless (e.g., proprietary
manufacturing, marketing, human resources, legal, or other information).
Some K&R policies limit coverage for extortion to threat of bodily
injury. Obviously, such wording does not respond to the risk mentioned here.
Some K&R policies do extend coverage to threat of damage to property.
However, it is not clear whether such wording will respond to threats of denial
of service attacks and other computer viruses that do not damage or destroy
computer data, software, or programs, but instead merely render such property
useless.
Closing the Gaps with New E-Commerce Insurance Policies
Several insurers have created and are selling stand-alone policies to cover
one or all of these issues. The policy forms currently available include the
following.
- Marsh's Net Secure program, underwritten by a consortium of
insurers
- The E-Risk policy from Fidelity and Deposit Companies, a member of
Zurich
- The Secure System policy from ACE USA
- The Networker policy from St. Paul
- Several policy forms from different Lloyd's facilities
AIG and Chubb also have policies under development. Some of these programs
provide both first-party coverage and liability coverage, where the insured can
pick and choose the coverages. And some of these programs can be purchased on
either a difference-in-conditions/difference-in-limits (DIC/DIL) basis or
primary basis.
These policy forms are in a state of flux, with the insurers apparently
reviewing each other's forms to try to address the same issues as much as
possible. A more detailed comparison of these and other forms, and the issues
to consider when buying them, will be the subject of future articles in this
series. Suffice it to say, however, that with respect to first-party risks,
practically all of these policies provide some form of coverage for each of the
issues raised above.
So, one way for an insured to close these gaps in coverage is simply to buy
one of these new policies, at least on a DIC/DIL basis. In that way, if an
e-commerce loss falls through the cracks of the insured's program as
constituted by traditional policies, the stand-alone e-commerce policy should
respond to the loss.
Closing the Gaps by Amending Traditional First-Party Policies
There is an alternative to buying one of the new e-commerce policies, at
least theoretically. In brief, an insured could amend one or more of the
policies to cover the gaps at issue.
For example, an insured could add express language to its commercial
property policy describing all the different types of loss events it could
experience with respect to its computer systems, website, data, software,
programs, etc., and then stating that all of such events shall be deemed
physical loss or damage for the purposes of coverage under the policy. The
insured can also amend the "indemnity period" provisions to more
closely tie into such special "physical loss or damage" language so
that the time element coverage matches up with e-commerce risks. Also, the
insured will want to make sure that the employee dishonesty exclusion is
limited to employee theft and excepts all other forms of "physical loss or
damage" to property caused by an employee.
An insured also could delete the potential income or indirect loss exclusion
(however worded) in its commercial crime policy or fidelity bond. The insured
might want to consider adding express language for time element losses (both
business interruption and extra expense at a minimum), rather than simply
relying on the deletion of the exclusion.
The insured also might want to amend the valuation provisions to more
closely mirror the valuation provisions in its commercial property policy. In
this way, whether the property is stolen by a third person (where the
commercial property policy would respond) or by an employee of the insured
(where the commercial crime policy or fidelity bond would respond), the
coverage provided by the different policies in the insured's program should
be the same.
Finally, the insured will want to amend its extortion coverage in its kidnap
and ransom policy to address e-commerce extortion risks or perhaps add the
coverage to its commercial crime policy, fidelity bond, or commercial property
policy. Several options could be available, but the point is that it needs to
be covered somewhere in the insured's program.
Indeed, there are any number of ways to add such coverages into an insurance
program. Much will depend on how the insured's program currently is
structured (i.e., what is already in the insured's policies) and its
insurers' willingness to amend their policies. That is the hitch. To date,
most insurers selling the traditional policies discussed in this article are
not willing to amend their policies to cover the gaps relating to e-commerce
risks. So, while such amendments are theoretically possible, it remains to be
seen whether they will become practically possible.
Conclusion
As discussed in the first article of this series, Fortune 1000 companies in
the United States by and large are taking the position that the insurance
industry should respond to first-party e-commerce risks by amending traditional
policies to cover the gaps.
These firms do not want to buy and administer yet another stand-alone insurance
program. In contrast, startup and middle market companies, especially dot
com companies, which lack a sophisticated risk manager and premium clout, are
buying the new policies to address these risks.
The insurance industry to date has not shown much interest in the desires of
most Fortune 1000 companies in regard to these issues. Commercial property
insurers do not want to insure "nonphysical events." Commercial crime
and fidelity insurers do not want to insure time element losses. And K&R
insurers are wary.
The insurance brokerage community appears to be assessing the situation.
Smart brokers appreciate the different policyholder markets and are selling the
new products to the smaller/startup companies, while helping their Fortune 1000
clients try to amend their current policies or otherwise finance e-commerce
risks with alternative risk transfer solutions.
Although it is anyone's guess how these issues will play out, Fortune
1000 companies will probably eventually be successful in persuading insurers to
amend their policies to cover first-party e-commerce risks. By that time,
however, there will be an established market for stand-alone e-commerce
policies that are being purchased by middle market and startup companies, and
brokers will respond accordingly.
Coming Up Next ...
The next edition of this column discusses
insurance issues for "third-party" liability risks associated with
e-commerce activities. There is a discussion of the gaps in traditional
liability policies for such risks, how the new e-commerce liability policies
respond to them, and how insureds are reacting to these issues.