Expert Commentary

New Stand-Alone E-Commerce Insurance Policies for First-Party Risks

This article discusses some of the issues to consider when reviewing e-commerce policies offering coverage for the following "first-party" risks: natural peril property damage, employee dishonesty, third-party crime/malicious conduct, extortion, computer programming error, and business interruption/extra expense.


Cyber and Privacy Risk and Insurance
February 2001

This is part of an ongoing series on e-commerce issues. Other articles include:

 

Stand Alone E-Commerce Market Survey

This chart lists examples of stand-alone e-commerce insurance policies. Some of the listed forms cover both first-party losses and third-party liability claims. Some of the forms cover only one or the other of these two types of risks. And with regard to first-party risks, some of the forms cover only the insured's direct loss, while some also cover the insured's liability to others for loss (e.g., employee theft, third-party theft). Accordingly, the description of coverages is for general information only, and the actual coverage provided by each listed policy is subject to the terms and conditions of that policy.

With respect to the contact information provided, in most cases it directs you to a general home page of a website. Since it can be frustrating to try to obtain information about products from websites, often the quickest way to get information and/or policy wording is by contacting an insurance broker (who works in this area) and/or the insurer itself to ask for a copy of the policy (preferably an electronic copy).

Any insurer listed below that believes that its product has been characterized incorrectly, please direct comments to Michael Rossi. Any such incorrect characterization is not intentional and will be corrected if we are advised of the error. Any insurer who is not listed below that sells stand-alone e-commerce insurance and who wants to be listed in the chart, please send contact information and a copy of your policy form to Michael Rossi, whose address and other biographical information can be accessed by clicking on his name above. Also see the Insurance Law Group website at www.inslawgroup.com.

 


Insurer, Managing General Agent, or Insurance Broker Policy Name 3rd Pty. Crime Employee Dishonesty BI and EE Extor-
tion
Prof. Svcs. Liab. Media E&O Liab.
Policies Sold in the US
AIG NetAdvantage Pro + Internet Professional Liability Policy No No No No Yes Yes
AIG NetAdvantage Security + Internet and Computer Network Security Policy Yes Yes Yes Yes No Yes
AIG Net Advantage Liability Internet and Professional Security Liability Insurance Partial: for liability arising therefrom Partial: for liability arising therefrom No Yes Yes Yes
AIG ProTech Technology Liability Insurance Policy No No No No Yes Yes
Chubb Cyber Security Yes Yes Yes Yes No No
Chubb Executive Risk Safety'Net Internet Liability Insurance No No No No No Yes
Hiscox Hacker Insurance Yes Yes Yes Yes Yes Yes
Legion Indemnity Company INSUREtrust Electronic Information E&O (EIE&O) Liability Policy Partial: for liability arising therefrom Partial: for liability arising therefrom No No Yes Yes
Lloyd's Computer Information and Data Security Insurance Yes Yes Yes Yes Yes Yes
Lloyd's
(WISP)
Website Crime & Intranet Insurance Yes Yes Yes Yes No No
Lloyd's
(Besso)
Technology, Media and Professional Liability Insurance No No No No Yes Yes
Lloyd's
(JLT Risk Solutions)
E-Comprehensive Yes Yes Yes Yes Yes Yes
Marsh NetSecure Yes Yes Yes Yes Yes Yes
Media/Professional Liability (Gulf) CyberLiability Plus Insurance Policy No No No No Yes Yes
Royal Surplus Lines Computer, Telecommunications and Internet Services Liability Coverage No No No No Yes Yes
St. Paul Technology Premier Computer Network Security Protection (Networker) Yes Yes Yes Yes No No
St. Paul Cybertech+ Liability No No No No Yes Yes
Tamarack
(Great American)
Dot.Com Errors and Omissions Liability Insurance Policy No No No No Yes Yes
Zurich North American Financial Enterprises E-Risk Protection Policy Yes Yes Yes Yes No Yes
Policies Sold in Europe
ACE Europe DataGuard Yes Yes Can be added Yes No No
Hiscox Hacker Insurance Yes Yes Yes Yes Yes Yes
Lloyd's
(JLT Risk Solutions)
E-Comprehensive Yes Yes Yes Yes Yes Yes
Marsh NetSecure Yes Yes Yes Yes Yes Yes
Park Insurance Services Internet Insurance No No No No Yes Yes
Zurich North American Financial Enterprises E-Risk Protection Policy Yes Yes Yes Yes No Yes
Policies Sold in Australia
Marsh NetSecure Yes Yes Yes Yes Yes Yes
St. Paul Technology Premier Computer Network Security Protection (Networker) Yes Yes Yes Yes No No
St. Paul Cybertech+ Liability No No No No Yes Yes

 


In the previous installment to this column, we examined the state of the market in the United States for stand-alone e-commerce insurance policies offering third-party "liability insurance" coverage. This article gives a broad overview of the issues that a corporate insured should consider if it is going to use one or more of the new stand-alone e-commerce insurance policies to insure "first-party" e-commerce risks.

Using the terms "liability" e-commerce insurance and "first-party" e-commerce insurance is a bit of a misnomer. Employee dishonesty and third-party malicious conduct exposures have liability risks associated with them. And coverage for the insured's liability arising from employee dishonesty and third-party malicious conduct can be provided by crime policies. The same is true with respect to the risk of liability to others for lost or damaged property in the insured's care, custody, or control. To varying degrees, such liability can be covered under commercial property policies.

In any event, this article discusses some of the issues to consider when reviewing e-commerce policies offering coverage for one or more of the following "first-party" risks: natural peril property damage, employee dishonesty, third-party crime/malicious conduct, extortion, computer programming error, and business interruption/extra expense.

It is written in the context of the author's experience working with multinational corporate insureds based in the United States and the United Kingdom that are trying to address their e-commerce insurance needs. But the message being delivered here is intended for insurance professionals located throughout the world, because in recent projects, it appears that e-commerce insurance wordings are developing differently in different parts of the world. Perhaps more than for any other subject in the past (except maybe for Y2K issues), e-commerce insurance issues must be examined at the international comparative level. Henceforth, this column will endeavor to do just that.

State of the Market for Stand-Alone First-Party E-Commerce Insurance Policies

 

Stand Alone E-Commerce Market Survey

 

This chart lists examples of stand-alone e-commerce insurance policies. Some of the listed forms cover both first-party losses and third-party liability claims. Some of the forms cover only one or the other of these two types of risks. And with regard to first-party risks, some of the forms cover only the insured's direct loss, while some also cover the insured's liability to others for loss (e.g., employee theft, third-party theft). Accordingly, the description of coverages is for general information only, and the actual coverage provided by each listed policy is subject to the terms and conditions of that policy.

With respect to the contact information provided, in most cases it directs you to a general home page of a website. Since it can be frustrating to try to obtain information about products from websites, often the quickest way to get information and/or policy wording is by contacting an insurance broker (who works in this area) and/or the insurer itself to ask for a copy of the policy (preferably an electronic copy).

Any insurer listed below that believes that its product has been characterized incorrectly, please direct comments to Michael Rossi. Any such incorrect characterization is not intentional and will be corrected if we are advised of the error. Any insurer who is not listed below that sells stand-alone e-commerce insurance and who wants to be listed in the chart, please send contact information and a copy of your policy form to Michael Rossi, whose address and other biographical information can be accessed by clicking on his name above. Also see the Insurance Law Group website at www.inslawgroup.com.

 


Insurer, Managing General Agent, or Insurance Broker Policy Name 3rd Pty. Crime Employee Dishonesty BI and EE Extor-
tion
Prof. Svcs. Liab. Media E&O Liab.
Policies Sold in the US
AIG NetAdvantage Pro + Internet Professional Liability Policy No No No No Yes Yes
AIG NetAdvantage Security + Internet and Computer Network Security Policy Yes Yes Yes Yes No Yes
AIG Net Advantage Liability Internet and Professional Security Liability Insurance Partial: for liability arising therefrom Partial: for liability arising therefrom No Yes Yes Yes
AIG ProTech Technology Liability Insurance Policy No No No No Yes Yes
Chubb Cyber Security Yes Yes Yes Yes No No
Chubb Executive Risk Safety'Net Internet Liability Insurance No No No No No Yes
Hiscox Hacker Insurance Yes Yes Yes Yes Yes Yes
Legion Indemnity Company INSUREtrust Electronic Information E&O (EIE&O) Liability Policy Partial: for liability arising therefrom Partial: for liability arising therefrom No No Yes Yes
Lloyd's Computer Information and Data Security Insurance Yes Yes Yes Yes Yes Yes
Lloyd's
(WISP)
Website Crime & Intranet Insurance Yes Yes Yes Yes No No
Lloyd's
(Besso)
Technology, Media and Professional Liability Insurance No No No No Yes Yes
Lloyd's
(JLT Risk Solutions)
E-Comprehensive Yes Yes Yes Yes Yes Yes
Marsh NetSecure Yes Yes Yes Yes Yes Yes
Media/Professional Liability (Gulf) CyberLiability Plus Insurance Policy No No No No Yes Yes
Royal Surplus Lines Computer, Telecommunications and Internet Services Liability Coverage No No No No Yes Yes
St. Paul Technology Premier Computer Network Security Protection (Networker) Yes Yes Yes Yes No No
St. Paul Cybertech+ Liability No No No No Yes Yes
Tamarack
(Great American)
Dot.Com Errors and Omissions Liability Insurance Policy No No No No Yes Yes
Zurich North American Financial Enterprises E-Risk Protection Policy Yes Yes Yes Yes No Yes
Policies Sold in Europe
ACE Europe DataGuard Yes Yes Can be added Yes No No
Hiscox Hacker Insurance Yes Yes Yes Yes Yes Yes
Lloyd's
(JLT Risk Solutions)
E-Comprehensive Yes Yes Yes Yes Yes Yes
Marsh NetSecure Yes Yes Yes Yes Yes Yes
Park Insurance Services Internet Insurance No No No No Yes Yes
Zurich North American Financial Enterprises E-Risk Protection Policy Yes Yes Yes Yes No Yes
Policies Sold in Australia
Marsh NetSecure Yes Yes Yes Yes Yes Yes
St. Paul Technology Premier Computer Network Security Protection (Networker) Yes Yes Yes Yes No No
St. Paul Cybertech+ Liability No No No No Yes Yes

 

There are several different ways to buy stand-alone e-commerce insurance. That is because the market is divided into endless variations.

Some of the new forms provide coverage only for professional services liability and media errors and omissions liability. Some new forms provide coverage only for employee dishonesty and third-party malicious conduct, such as crime and extortion (both for loss of property, money, securities, etc., as well as for business interruption and extra expense). But within that market there are several different variations, the difference being what amount, if any, of liability coverage is offered for indemnity and defense, because of theft of or dissemination of data, information, etc., of others, for which the insured is liable.

Some of the new forms provide coverage for not only employee dishonesty and third-party malicious conduct, but also for loss caused by natural perils, as well as by a computer programming negligent act, error, or omission by the insured's employee or independent contractor. However, many of the forms exclude both of these perils.

Finally, some of the new forms combine one or more of the foregoing coverages into a program that provides both liability and first-party coverage.

Capacity

As far as capacity goes, some insurers are offering only minimal capacity (e.g., $2 or $3 million in limits). One can discern right away that these insurers are looking to insure only smaller companies. Some insurers are offering greater capacity, but the limits seen to date really are not meaningful for many large companies (many companies are looking to maintain the same limits that are maintained in the other policies in their programs—e.g., hundreds of millions, if not billions, of dollars for the very large companies—but capacity appears to be in the low tens of millions of dollars).

One insurer to watch, however, is FM Global. That insurer had intended to "launch" e-commerce wordings for its property and crime coverages in December 2000. It is rumored that such offerings will not be new "stand-alone" products, but rather will be endorsements to FM Global's current policy forms. However, the "launch" date got pushed back first to January 2001, then to February 2001, and as of the time of this article's publication, the launch date is set for April 1, 2001 (and who really can say when, if ever, FM Global will launch its promised wordings?).

 

Stand Alone E-Commerce Market Survey

 

This chart lists examples of stand-alone e-commerce insurance policies. Some of the listed forms cover both first-party losses and third-party liability claims. Some of the forms cover only one or the other of these two types of risks. And with regard to first-party risks, some of the forms cover only the insured's direct loss, while some also cover the insured's liability to others for loss (e.g., employee theft, third-party theft). Accordingly, the description of coverages is for general information only, and the actual coverage provided by each listed policy is subject to the terms and conditions of that policy.

With respect to the contact information provided, in most cases it directs you to a general home page of a website. Since it can be frustrating to try to obtain information about products from websites, often the quickest way to get information and/or policy wording is by contacting an insurance broker (who works in this area) and/or the insurer itself to ask for a copy of the policy (preferably an electronic copy).

Any insurer listed below that believes that its product has been characterized incorrectly, please direct comments to Michael Rossi. Any such incorrect characterization is not intentional and will be corrected if we are advised of the error. Any insurer who is not listed below that sells stand-alone e-commerce insurance and who wants to be listed in the chart, please send contact information and a copy of your policy form to Michael Rossi, whose address and other biographical information can be accessed by clicking on his name above. Also see the Insurance Law Group website at www.inslawgroup.com.

 


Insurer, Managing General Agent, or Insurance Broker Policy Name 3rd Pty. Crime Employee Dishonesty BI and EE Extor-
tion
Prof. Svcs. Liab. Media E&O Liab.
Policies Sold in the US
AIG NetAdvantage Pro + Internet Professional Liability Policy No No No No Yes Yes
AIG NetAdvantage Security + Internet and Computer Network Security Policy Yes Yes Yes Yes No Yes
AIG Net Advantage Liability Internet and Professional Security Liability Insurance Partial: for liability arising therefrom Partial: for liability arising therefrom No Yes Yes Yes
AIG ProTech Technology Liability Insurance Policy No No No No Yes Yes
Chubb Cyber Security Yes Yes Yes Yes No No
Chubb Executive Risk Safety'Net Internet Liability Insurance No No No No No Yes
Hiscox Hacker Insurance Yes Yes Yes Yes Yes Yes
Legion Indemnity Company INSUREtrust Electronic Information E&O (EIE&O) Liability Policy Partial: for liability arising therefrom Partial: for liability arising therefrom No No Yes Yes
Lloyd's Computer Information and Data Security Insurance Yes Yes Yes Yes Yes Yes
Lloyd's
(WISP)
Website Crime & Intranet Insurance Yes Yes Yes Yes No No
Lloyd's
(Besso)
Technology, Media and Professional Liability Insurance No No No No Yes Yes
Lloyd's
(JLT Risk Solutions)
E-Comprehensive Yes Yes Yes Yes Yes Yes
Marsh NetSecure Yes Yes Yes Yes Yes Yes
Media/Professional Liability (Gulf) CyberLiability Plus Insurance Policy No No No No Yes Yes
Royal Surplus Lines Computer, Telecommunications and Internet Services Liability Coverage No No No No Yes Yes
St. Paul Technology Premier Computer Network Security Protection (Networker) Yes Yes Yes Yes No No
St. Paul Cybertech+ Liability No No No No Yes Yes
Tamarack
(Great American)
Dot.Com Errors and Omissions Liability Insurance Policy No No No No Yes Yes
Zurich North American Financial Enterprises E-Risk Protection Policy Yes Yes Yes Yes No Yes
Policies Sold in Europe
ACE Europe DataGuard Yes Yes Can be added Yes No No
Hiscox Hacker Insurance Yes Yes Yes Yes Yes Yes
Lloyd's
(JLT Risk Solutions)
E-Comprehensive Yes Yes Yes Yes Yes Yes
Marsh NetSecure Yes Yes Yes Yes Yes Yes
Park Insurance Services Internet Insurance No No No No Yes Yes
Zurich North American Financial Enterprises E-Risk Protection Policy Yes Yes Yes Yes No Yes
Policies Sold in Australia
Marsh NetSecure Yes Yes Yes Yes Yes Yes
St. Paul Technology Premier Computer Network Security Protection (Networker) Yes Yes Yes Yes No No
St. Paul Cybertech+ Liability No No No No Yes Yes

 

Reviewing Quotes of Stand-Alone E-Commerce Insurance for First-Party Risks

There are myriad issues to consider when reviewing a quote for stand-alone e-commerce insurance. Space limitations prohibit a complete discussion. The list of issues discussed in this article is illustrative, rather than exhaustive.

Do the Employee Dishonesty/Crime Coverages Extend to the Insured's Liability to Others? It is important to review the employee dishonesty and third-party malicious conduct sections of the policy. It is important to get coverage not only for your company's direct loss, but also for your company's legal liability to others arising from employee dishonesty and third-party malicious conduct. Also, ensure that defense costs are included in such coverage. Finally, please note that some of the e-commerce forms distinguish between the type of liability cover they offer. Some limit the cover to liability to others for the value of the property that was lost/stolen. Others, however, extend the cover to liability to others if the lost/stolen property was used by the perpetrator of the crime in a way that causes damages to the other persons.

The "classic" e-commerce example given by most commentators is theft of credit card numbers or other information about an insured's customers and use of those numbers and other information to the financial injury of such customers. Another example given is theft of information about children who have come to a website, or whose parents have entered data about the children on a website, and a perpetrator getting a hold of the information and somehow harming a child (whether emotionally or physically).

Does the Policy Cover Computer Programming Errors? This is a very "hot" issue in the United States as well as the United Kingdom. Many e-commerce forms expressly exclude coverage for errors in computer programming. Some of the forms expressly cover the risk, but only for property loss (excluding business interruption and extra expense loss). Some of the forms cover the risk only for third-party contractor errors, but not for employee errors. And only one or two of the forms provide both property and business interruption/extra expense coverage for this risk, regardless of whether an employee or third-party contractor caused the loss.

Does the Policy Cover "Natural Perils"? Interestingly, most policies offered in the United States expressly exclude natural peril losses and limit coverage to losses caused by employee dishonesty or third-party malicious conduct. However, it seems that many policies offered in the United Kingdom expressly provide coverage for natural peril losses. Indeed, one global insurer sells an e-commerce form in the United States that has a "natural perils" exclusion, and the text of that exclusion serves, more or less, as a coverage grant for the same insurer's e-commerce form sold in the United Kingdom/Europe.

Does the Business Interruption and Extra Expense Coverage Extend to Contingent Risks? A common enhancement in traditional property policies offering business interruption/extra expense is to obtain coverage for "contingent" business interruption and "contingent" extra expense. Such coverage applies when an insured suffers a business interruption or extra expense loss because the insured's customer or supplier suffers a loss and cannot accept the insured's goods (in the case of the customer) or provide the insured with raw materials to create product (in the case of the supplier). A supplier or customer could "go down" just as easily because of an e-commerce-related loss as it could "go down" by fire, explosion, flood, or earthquake. Thus, it is important to get contingent time element coverage into any first-party e-commerce policy. However, only a handful of the policy forms in the market expressly provide for such coverage.

Does the Definition of "Covered Property" Extend to Trade Secrets and Other Confidential Information? The first-party coverage wordings all use different terminology to address the issue of whether, and to what extent, confidential information and trade secrets are covered. Some of the policies expressly cover all forms of confidential information, including trade secrets. Some policies expressly exclude trade secrets from being covered, and allow only coverage for customer and client information when it comes to confidential information. Not only is it important to try to get trade secrets covered, but care also must be taken in reviewing the valuation provisions for trade secrets to make sure that the coverage being offered is meaningful (you likely want coverage for the lost income caused by the misappropriated trade secrets, or the cost of research and development of the lost trade secrets, whichever is greater).

Difference-in-Conditions/Difference-in-Limits Issues

If you are the risk manager of a large company and are buying one of these new e-commerce insurance policies, you likely are buying it on a difference-in-conditions/difference-in-limits ("DIC/DIL") basis. The DIC/DIL concept is that the policy "sits behind" and "sits on top of" all the other coverages in your program. If something falls through the cracks or is underinsured, the DIC/DIL policy is there to protect you (subject to the policy's terms and conditions, of course).

Although the concept sounds straightforward, DIC/DIL policies can be tricky. For one, you need to make sure that the defense provisions in the DIC/DIL policy are the same as the defense provisions in the underlying policies. Trouble can result if an underlying policy gives the insured the absolute right to control the defense of a claim, but the DIC/DIL policy gives the insurer that right. The same problems can arise if the provisions are reversed—that is, the underlying policy provides that the insurer has the right and duty to defend claims, whereas the DIC/DIL policy provides that it is the duty of the insured to defend claims. There are other issues to consider as well, but space limitations preclude a further discussion of them.

The Need To Review E-Commerce Wording Offerings on a Global Basis

Perhaps more than any other insurance issue that has come before (except maybe the Y2K issue), these e-commerce insurance issues must be analyzed on a global basis. All multinational corporate insureds, regardless of where they are headquartered, should be demanding the same breadth of coverage that other multinationals based in other parts of the world are obtaining. The only way to attempt to achieve that goal is to obtain and review the e-commerce insurance wording offerings (both in the stand-alone market and by endorsement to traditional policies) in the major insurance markets of the world.

Without doubt, e-commerce insurance wordings (both in stand-alone e-commerce policies and endorsements to traditional policies) are developing differently around the world. One large global insurer, for example, sells stand-alone e-commerce insurance in the United States and the United Kingdom. What serves as an exclusion in the US policy offering of this insurer serves as an insuring agreement in the UK policy. And this is just one example.

In sum, a multinational corporation, regardless of where it is headquartered, can no longer afford to limit itself to a review of the insurance wordings, and capacity, offered in the country in which it is headquartered. For any e-commerce insurance issue it tries to address, it must conduct an international comparative analysis of wordings available (both in stand-alone e-commerce policies and in e-commerce endorsements to traditional policies), at least in the key marketplaces of the world. And if the multinational company does not have the means to conduct such an international comparative analysis, then it needs to "partner" with an insurance professional, whether broker, consultant, or lawyer, who can advise the company on such issues.

Concluding Thoughts

In the final analysis, professionals in the insurance industry, whether they be risk managers, insurance brokers, underwriters, lawyers, or consultants, should know and understand the coverage issues being addressed by the new stand-alone e-commerce insurance policies (both the combined forms and the first-party-only coverage forms). Such knowledge is needed for a number of reasons, including knowing what issues to look for when (1) placing one of the new policies, and (2) auditing an insurance program to determine what, if any, "tweaking" should be done to it so that it more fully responds to e-commerce risks along the lines of the new stand-alone e-commerce insurance policies.

The need to understand these issues on an international comparative level cannot be overemphasized. As a risk manager (especially of large multinational corporations), the only way to assure yourself that you are truly seeing what the market really has to offer is to obtain and review e-commerce wordings offered in the major insurance centers of the world. And, if you do not have the time or resources to conduct such an analysis yourself, you should hire someone to do it for you. It makes no sense for multinational corporate insureds who compete with each other around the globe to have markedly different e-commerce insurance coverage merely because they are headquartered in different parts of the world. That potential scenario is antithetical to the concept of a global insurance marketplace and should be avoided.


Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More